A customer reported that their Airwave 7.2.4 server failed a third-party security audit due to Anonymous Authentication being enabled for SSL connections on port 443.Support investigation discovered that pound had the following configuration:Ciphers "ADH-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:ADH-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:KRB5-DES-CBC3-MD5:KRB5-DES-CBC3-SHA:ADH-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA"This is the list of ciphers that contain the vulnerability (indicated by the Au=None)ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1ADH-AES128-SHA SSLv3 Kx=DH Au=None Enc=AES(128) Mac=SHA1ADH-DES-CBC3-SHA SSLv3 Kx=DH Au=None Enc=3DES(168) Mac=SHA1ADH-DES-CBC-SHA SSLv3 Kx=DH Au=None Enc=DES(56) Mac=SHA1EXP-ADH-DES-CBC-SHA SSLv3 Kx=DH(512) Au=None Enc=DES(40) Mac=SHA1 exportADH-RC4-MD5 SSLv3 Kx=DH Au=None Enc=RC4(128) Mac=MD5EXP-ADH-RC4-MD5 SSLv3 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 exportThe proper configuration for pound (to limit only SSLv3 and no anonymous auth) should be:Ciphers "DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:KRB5-DES-CBC3-MD5:KRB5-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA"to fix this on existing Airwave 7.2.4 installations you can edit the /etc/pound.cfg file and remove any authentication methods prefixed with "ADH". This only affects Airwave 7.2.4 at this time since pound replaced lighttpd in this revision.Additional info on ciphers is available via " openssl ciphers -v 'ALL' "
© Copyright 2024 Hewlett Packard Enterprise Development LPAll Rights Reserved.