On 10/26/2014 07:34 PM, Norbert Preining wrote: > So What I got from cipherscan is the following: > > prio ciphersuite protocols pfs_keysize > 1 RC4-SHA SSLv3 > 2 RC4-MD5 SSLv2,SSLv3 > 3 EDH-RSA-DES-CBC3-SHA SSLv3 DH,1024bits > 4 DES-CBC3-SHA SSLv3 > 5 EDH-RSA-DES-CBC-SHA SSLv3 DH,1024bits > 6 DES-CBC-SHA SSLv3 > 7 EXP-DES-CBC-SHA SSLv3 RSA,512bits > 8 EXP-RC4-MD5 SSLv2,SSLv3 RSA,512bits > > > Does this tell you masters anything? It seems that it is SSLv3 only > considering SSLv2 as even worse?
I'm not familiar with the details of cipherscan and how it evaluates this, but reading from the reasonable interpretation of the above: This is remarkably bad on a modern network. SSLv2 has been explicitly prohibited for over 3 years now: https://tools.ietf.org/html/rfc6176 And this is coming from a body (the IETF) that has a very difficult time explicitly stating that a given protocol is prohibited. The export ciphersuites (denoted here with the EXP- prefix) are also known-broken (arguably, designed broken), and should never be used by anyone who cares about confidentiality or integrity. RC4 is also known to be significantly weaker than anything you should want (we're working on explicitly prohibiting it [0]). The single-DES ciphersuites (items 5 and 6 above) are also only ~56 bits of security, which is far to little. so the only two semi-plausible ciphers in the above list are 3 and 4, and those are really only possibly acceptable in contexts vulnerable to BEAST and the like (e.g. web browsers) if the server does record splitting (e.g. [1]), which i would guess that an old unmaintained server does not. In short, keeping this server off the public internet is a good idea, and its administrators should really do an overhaul of its TLS stack. Please use modern, well-supported crypto. we know there are problems with the old stuff. --dkg [0] https://tools.ietf.org/html/draft-ietf-tls-prohibiting-rc4 [1] https://rt.openssl.org/Ticket/Display.html?id=2635&user=guest&pass=guest
signature.asc
Description: OpenPGP digital signature
