https://community.cisco.com/t5/application-networking/weak-encryption-ssl-module/m-p/1281337#M26698 <P>During a recent PCI compliance scan, 4 our our current SSL-Service(s) on the SSL module were scanned and came up with the "SSL Server Supports Weak Encryption Vulnerability". I have checked the configuration and all of our extranet web sites that are hosted on the CSM and have SSL termination at the SSL module appear the same. Also, the private key generated is a 1024 byte key pair. No defined ciphers are in the configuration at this time. Should there be? Is there a white paper on best practices for highest security using the SSL module. We will soon be migrating off to ACE modules, but with PCI compliance currently at hand, we have to mitigate this issue as soon as possible. Thanks.</P> Tue, 16 Jun 2009 13:23:28 GMT aanelso1 2009-06-16T13:23:28Z https://community.cisco.com/t5/application-networking/weak-encryption-ssl-module/m-p/1281337#M26698 <P>During a recent PCI compliance scan, 4 our our current SSL-Service(s) on the SSL module were scanned and came up with the "SSL Server Supports Weak Encryption Vulnerability". I have checked the configuration and all of our extranet web sites that are hosted on the CSM and have SSL termination at the SSL module appear the same. Also, the private key generated is a 1024 byte key pair. No defined ciphers are in the configuration at this time. Should there be? Is there a white paper on best practices for highest security using the SSL module. We will soon be migrating off to ACE modules, but with PCI compliance currently at hand, we have to mitigate this issue as soon as possible. Thanks.</P> Tue, 16 Jun 2009 13:23:28 GMT https://community.cisco.com/t5/application-networking/weak-encryption-ssl-module/m-p/1281337#M26698 aanelso1 2009-06-16T13:23:28Z https://community.cisco.com/t5/application-networking/weak-encryption-ssl-module/m-p/1281338#M26699 <HTML><HEAD></HEAD><BODY><P>Configure an ssl policy to limit the cipher list.</P><P>Remove the weak ones and run your test again.</P><P></P><P></P><P>ssl-proxy(config-context)#policy ssl Ciphers</P><P></P><P>ssl-proxy(config-ctx-ssl-policy)#cipher ?</P><P> all All supported ciphers</P><P> all-export All export ciphers</P><P> all-strong All strong ciphers</P><P> rsa-exp-with-des40-cbc-sha rsa export with des40-sha</P><P> rsa-exp-with-rc4-40-md5 rsa export with rc4-md5</P><P> rsa-exp1024-with-des-cbc-sha rsa export1024 with des-sha</P><P> rsa-exp1024-with-rc4-56-md5 rsa export1024 with rc4-md5</P><P> rsa-exp1024-with-rc4-56-sha rsa export1024 with rc4-sha</P><P> rsa-with-3des-ede-cbc-sha rsa with 3des-sha</P><P> rsa-with-des-cbc-sha rsa with des-sha</P><P> rsa-with-null-md5 rsa with null-md5</P><P> rsa-with-rc4-128-md5 rsa with rc4-md5</P><P> rsa-with-rc4-128-sha rsa with rc4-sha</P><P></P><P>Gilles.</P></BODY></HTML> Tue, 16 Jun 2009 14:44:40 GMT https://community.cisco.com/t5/application-networking/weak-encryption-ssl-module/m-p/1281338#M26699 Gilles Dufour 2009-06-16T14:44:40Z https://community.cisco.com/t5/application-networking/weak-encryption-ssl-module/m-p/1281339#M26700 <HTML><HEAD></HEAD><BODY><P>Thanks for the quick response!!</P><P></P><P>I am a bit confused here....it appears that configuration that you are suggesting is for an ACE module. We are currently needing similar for SSL-Module (used in conjunction with CSM).</P><P></P><P>This is what I think I will be using:</P><P></P><P>bvlcoelablbrtr1-ssl(config)#ssl-proxy policy ssl Ciphers</P><P>bvlcoelabl(config-ssl-policy)#cipher rsa-with-rc4-128-md5</P><P></P><P>I am assuming that the default is to use all which on the SSL-Module includes the following (I believe that rsa with des-sha is the only weak encryption). </P><P></P><P> all All supported ciphers</P><P> rsa-with-3des-ede-cbc-sha rsa with 3des-sha</P><P> rsa-with-des-cbc-sha rsa with des-sha</P><P> rsa-with-rc4-128-md5 rsa with rc4-md5</P><P> rsa-with-rc4-128-sha rsa with rc4-sha</P><P></P><P></P><P></P><P></P></BODY></HTML> Tue, 16 Jun 2009 18:59:41 GMT https://community.cisco.com/t5/application-networking/weak-encryption-ssl-module/m-p/1281339#M26700 aanelso1 2009-06-16T18:59:41Z