Adm Selec

Chief Information Officers Council blocks SSL Labs production scan, receives an F on development because of SSL2 enabled

Discussion created by Adm Selec on Jun 10, 2015
Latest reply on Jun 11, 2015 by Lily Wilson

While https://https.cio.gov receives A+ (still doesn't support OCSP stapling though), it is impossible to test https://cio.gov

Turns out they are hiding something that cannot be unseen.

 

Production

SSL Server Test: https.cio.gov (Powered by Qualys SSL Labs)

 

Development

SSL Server Test: https.cio.gov (Powered by Qualys SSL Labs)

 

This site works only in browsers with SNI support.

This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks.

This server supports HTTP Strict Transport Security with long duration. Grade set to A+.

 

Production

SSL Server Test: cio.gov (Powered by Qualys SSL Labs)

 

Assessment failed: Unable to connect to server

 

Development

SSL Server Test: cio.gov (Powered by Qualys SSL Labs)

 

This server supports SSL 2, which is obsolete and insecure. Grade set to F.

This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.

This server accepts the RC4 cipher, which is weak. Grade capped to B.


 

Protocols
TLS 1.2Yes
TLS 1.1Yes
TLS 1.0Yes
SSL 3No
SSL 2   INSECUREYes


 

SSL_CK_DES_64_CBC_WITH_MD5 (0x60040)   INSECURE56
SSL_CK_RC4_128_WITH_MD5 (0x10080)   INSECURE128
SSL_CK_RC2_128_CBC_WITH_MD5 (0x30080)   INSECURE128
SSL_CK_IDEA_128_CBC_WITH_MD5 (0x50080)   INSECURE128
SSL_CK_DES_192_EDE3_CBC_WITH_MD5 (0x700c0)   INSECURE112


 

RC4Yes   WEAK


So what are we going to do with this?

Outcomes