Disable Weak ciphers on a particular port

Asked Aug 01 '17 at 11:31

Active Aug 29 '17 at 22:26

Viewed 1,116 times

I recently scanned my system for PCI compliance test using NMAP. NMAP reported following weak ciphers-

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 1024) - D

TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C

TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C

TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C

These all are reported on TLSv1.2 on Port 5061. Port 5061 runs my secure SIP connection.

To resolve this, I disabled 3DES (Triple DES 168) from registry, also disabled, RC4 & MD5 ciphers completely from registry.

I also did set an SSL cipher Suite order which does not use DES/3DES/RC4 or MD5 but still, after each scan same vulnerabilities are being reported.

How can I resolve this & completely disable these ciphers? Also, is there anyway to block cipher suite negotiation on any particular port?

Thanks.

P.S.- This is a Windows Server 2012 machine.

edited Aug 29 '17 at 22:26

Gil Hamilton

asked Aug 01 '17 at 11:31

vsinha23

1

Could you add, what software do you use for SIP on 5061? – iXCray Aug 01 '17 at 11:33
Not specific enough for an answer, but [Bulletproof SSL and TLS](https://www.feistyduck.com/books/bulletproof-ssl-and-tls/) is a great resource for TLS configuration. Also, the reason that first one has a low score is the 1024-bit-equivalent DH parameter. You'll have to change that or generate custom parameters to avoid a low score on DHE ciphersuites. – bonsaiviking Aug 01 '17 at 14:23
@iXCray I am using Dialogic HMP for SIP calls. Plus we have our own media server. – vsinha23 Aug 02 '17 at 04:40

0 Answers0