ā07-03-2012 12:23 PM - edited ā03-11-2019 04:25 PM
We got the below alert when we ran the PCI scan on our VPN firewall (use it for remote access VPN), did anyone come across this?
OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Ciphersuite Disabled Cipher Issue
Solution-
Upgrade to OpenSSL 0.9.8j or later.
ASA 5510 running 8.2(2)
Siddhartha
ā07-03-2012 05:31 PM
I have seen a similar issue reported by an external auditor when for the ASA firewall, the "medium" and "weak" SSL ciphers were reported as supported. You can harden the ASA with the setting:
ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 rc4-md5
...applied from the command line. The ciphers listed in that command are all "strong" and should result in the scan being successful. This should not impact any clients running anything like a modern browser.
You can find the equivalent commands in ASDM under āConfiguration, Remote Access VPN, Advanced, SSL Settingsā. Just make the menu picks so that only the above-listed algorithms are in the āActive Algorithmsā list.
ā07-05-2012 11:02 AM
Thanks Marvin, Will make the change and see if it resolves the issue.
Siddhartha
ā07-05-2012 02:47 PM
Marvin,
I removed that SSL cipher and ran the scan again but still getting the error, below is the output from my ASA.
any other work around?
vpn# sh run all ssl
ssl server-version any
ssl client-version any
ssl encryption aes256-sha1 aes128-sha1 3des-sha1
ssl trust-point ASDM_TrustPoint1 outside
Siddhartha
ā07-10-2012 10:17 AM
Anyone...?
Siddhartha
ā07-10-2012 11:20 AM
Hi Siddhartham,
I think Marvin is correct in his explaination, the change in accepted Cipher suites should fix the problem. I think you have to contact the PCI scan company about a False-Positive, the Bug mentioned by them works by switching to lower cipher suite in the middle of the connection but since you are not supporting any medium or lower security ciphers it should affect you.
here's a good read on this security violation :-
http://www.openssl.org/news/secadv_20101202.txt
Also, you might be able to get rid of this issue completely by updating to lastest code running on your ASA from Cisco which might be build on newer version of open_ssl.
Thanks
Manish
ā07-19-2012 01:04 PM
Thanks guys. Upgrading the firewall to 8.4.3 resolved the issue.
Siddhartha
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide