AnsweredAssumed Answered

SSL Anonymous Auth Vulnerability, Disable in Lighttpd?

Question asked by wesley on May 5, 2014
Latest reply on May 13, 2014 by wesley

Hi, I have a Qualys report that says my Cisco video conferencing endpoint has this threat: "SSL Server Allows Anonymous Authentication Vulnerability".

 

The Qualys report has this SOLUTION:

    Disable support for anonymous authentication.

 

    1) Apache:

    Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines:

    SSLProtocol -ALL +SSLv3 +TLSv1

    SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

 

    For Apache/apache_ssl include the following line in the configuration file (httpsd.conf):

    SSLRequireCipher ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

 

    2) IIS ...
    3) Wu-FTP...

 

I used SSH to log into the system and I see that it is running Lighttpd, not Apache. So my question is, how can I disable anonymous authentication on Lighttpd? Or instead of messing with the root files, is there a different solution?

 

Thanks.

Outcomes