- Document ID:7004507
- Creation Date:23-Sep-2009
- Modified Date:16-Jul-2019
- Micro Focus Products:
eDirectory
NetWare
Open Enterprise Server
See AlsoWhat is the DES Algorithm? Understanding Data Encryption Standard - BPI - The destination for everything process relatedA Beginner’s Guide to TLS Cipher Suites - Namecheap BlogA look at Security Vulnerabilities in Code - CodegripWeak SSL Ciphers Suites Enabled Vulnerability Fix | Beyond Security
- Micro Focus Products:
Environment
Novell Open Enterprise Server (OES)
Novell NetWare 6.5
Situation
SSL Allows the use of Weak Ciphers.
SSL Server Allows Cleartext Communication Vulnerability port 443/tcp over SSL
SSL Server Supports Weak Encryption Vulnerability port 443/tcp over SSL
SSL Server May Be Forced to Use Weak Encryption Vulnerability port 443/tcp over SSL
The Secure Sockets Layer (SSL) protocol allows for secure communication between a client and a server.
Some ways to verify if a port is allowing weak ciphers. This is useful if detection software shows a fault positive.
openssl s_client -connect <ipaddress:port> -ssl2 -state
EX: openssl s_client -connect 192.168.1.100:443 -ssl2 -state
openssl s_client -connect <ipaddress:port> -cipher LOW -state
EX: openssl s_client -connect 192.168.1.100:443 -cipher LOW -state
Resolution
NILE.NLM has been modified so that strong ciphers are preferred over weak ciphers by default during SSL handshakes.
Additional Information
Each of the vulnerabilities and their associated CVE numbers are listed below:
In order to revert back to allowing weak ciphersit is necessary to modify the SYS:\ETC\NILE.CFG and enter the following:
SSL Digger by Foundstone was used to test this vulnerability.
Formerly known as TID# 10100633