Verify QID 38140 - SSL Server Supports Weak Encryption Vulnerability

Document created by kb-author-1 Employee on May 19, 2010Last modified by Joe Gregory on Dec 4, 2012
Version 7Show Document
  • View in full screen mode

Issue:

The QualysGuard Scan Results show that my host is vulnerabile with QID 38140 - SSL Server Supports Weak Encryption Vulnerability.  How can I verify this?


Solution:

The test for QID 38140 can be verified manually on a Unix based machine.


On a command line, type:

openssl s_client -connect TARGET_IP:PORT_NUMBER -cipher LOW


Where TARGET_IP is the IP address of the host in question and PORT_NUMBER is the port listed in the scan report for this QID.


For mail servers (port 25 and others) that use START TLS, you will need to use: openssl s_client -connect 66.241.44.125:25 -starttls smtp -cipher LOW


If the result is an SSL handshake error similar to the example below, the host is not vulnerable:


CONNECTED(00000003)


9216:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226:


However, if the connection is established and a large amount of data is displayed including the certificate, the host is vulnerable.


Note: The LOW switch does not include export cipher suites (which are LOW as well).


Failed: openssl s_client -connect 199.239.159.148:443 -cipher LOW


Successful: openssl s_client -connect 199.239.159.148:443 -cipher EXP


This is explained on the OpenSSL website: http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS

 

To remedy this issue, please examine the host in question and find out what service is running on the port that is listed for this vulnerability in the scan results, then reconfigure that service to disable SSLv2 and low encryption ciphers.


For further assistance with host configuration or additional remediation information, contact the vendor of the host and/or service.



Qualys Support KnowledgeBase

http://community.qualys.com/community/kb


ID:  0001.001.613.000

Attachments

    Outcomes