Skip navigation
Currently Being Moderated

Verify QID 38140 - SSL Server Supports Weak Encryption Vulnerability

Created by kb-author-1 on May 19, 2010 4:40 PM - Last modified by Joe Gregory on Dec 4, 2012 2:18 PM

Issue:

The QualysGuard Scan Results show that my host is vulnerabile with QID 38140 - SSL Server Supports Weak Encryption Vulnerability.  How can I verify this?


Solution:

The test for QID 38140 can be verified manually on a Unix based machine.


On a command line, type:

openssl s_client -connect TARGET_IP:PORT_NUMBER -cipher LOW


Where TARGET_IP is the IP address of the host in question and PORT_NUMBER is the port listed in the scan report for this QID.


For mail servers (port 25 and others) that use START TLS, you will need to use: openssl s_client -connect 66.241.44.125:25 -starttls smtp -cipher LOW


If the result is an SSL handshake error similar to the example below, the host is not vulnerable:


CONNECTED(00000003)


9216:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226:


However, if the connection is established and a large amount of data is displayed including the certificate, the host is vulnerable.


Note: The LOW switch does not include export cipher suites (which are LOW as well).


Failed: openssl s_client -connect 199.239.159.148:443 -cipher LOW


Successful: openssl s_client -connect 199.239.159.148:443 -cipher EXP


This is explained on the OpenSSL website: http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS

 

To remedy this issue, please examine the host in question and find out what service is running on the port that is listed for this vulnerability in the scan results, then reconfigure that service to disable SSLv2 and low encryption ciphers.


For further assistance with host configuration or additional remediation information, contact the vendor of the host and/or service.



Qualys Support KnowledgeBase

http://community.qualys.com/community/kb


ID:  0001.001.613.000

Comments (1)