Server has "weak cipher setting" according to security audit, replaced offending cipher TLS_RSA_WITH_3DES_EDE_CBC_SHA, but still failing retest audit?

Question

We received an audit from our local cyber security team in which one of our servers displays "Insufficient Transport Layer Protection".

According to their description:

" DESCRIPTION: The server supports the following weak ciphers:

TLS_RSA_WITH_3DES_EDE_CBC_SHA [0x0a] RSA 3DES 168

These ciphers are known to have cryptographic weaknesses that make them unsuitable for use in SSL/TLS. "

The solution they've provided are as follows:

" SOLUTION: We recommend disabling support for the export and null cipher suites, as well as cipher suites using RC4/3DES. Instead, we suggest AES128-SHA for TLS 1.0 and 1.1, and AES128-GCM-SHA256 for TLS 1.2. "

In an attempt to rectify this, this is what I have done so far:

Run -> gpedit.msc -> Computer Configuration -> Administrative Templates -> Network -> SSL Configuration Settings
Clicked on SSL Cipher Suite Order
Clicked on radio button "Enabled"
Replaced the string of supported cipher suites with this one:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_CK_DES_192_EDE3_CBC_WITH_MD5
Rebooted server and ran retest using nmap utility application.

We ran a retest on our server, and it appears the vulnerability is still outgoing:

Image of nmap result

Our box is a Windows 2008 R2 server.

Is there another method on how to solve this issue?

score 0 · Accepted Answer · answered Aug 14 '17 at 19:17

0

the new cipher suite string you installed still has 3DES ciphers in it. Get rid of anything in the list with the word DES.

answered Aug 14 '17 at 19:17

Dan Pritts

3,221
26
28

Awesome, a second pair of eyes always seems to help. I should have double checked the list of cipher suites that was given to us, thank you for pointing this out to me. Cheers – Lasagna Cat Aug 14 '17 at 19:40

Server has "weak cipher setting" according to security audit, replaced offending cipher TLS_RSA_WITH_3DES_EDE_CBC_SHA, but still failing retest audit?

1 Answers1