Fixing SSL Null Cipher Suites Supported

Fixing SSL Null Cipher Suites Supported

Posted by Peter Bassill on 01/01/2015


Nessus Summary



Nessus Plugin ID: 66848



CVSS v3.0 Base Score: 5.3



Nessus Description:



The remote host supports the use of SSL ciphers that offer no encryption at all. Note: This is considerably easier to exploit if the attacker is on the same physical network.



How to Fix



Null cipher suites is where a zero level of encryption is acceptable. This is totally unacceptable in any environment and should be fixed as soon as possible.



If you are unable to fix it or dont have the time, we can do it for you. Find out more information here or buy a fix session now for £149.99 plus tax using the button below.





Purchase a fix now





Apache Fix



The follow configuration should be added to the security.conf file to apply globally or to virtual host:



SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH



SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1



SSLHonorCipherOrder On



SSLCompression off



IIS Fix



The Microsoft Knowledge Base article "How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll" describes how to enable just the FIPS 140 algorithms. Here's a summary:



Disable weak ciphers



Open the registry editor and locate HKLMSYSTEMCurrentControlSetControlSecurityProviders



Set "Enabled" dword to "0x0" for the following registry keys:



SCHANNELCiphersRC4 128/128



SCHANNELCiphersRC2 128/128



SCHANNELCiphersRC4 64/128



SCHANNELCiphersRC4 56/128



SCHANNELCiphersRC2 56/128



SCHANNELCiphersRC4 40/128



SCHANNELCiphersRC2 40/128



SCHANNELCiphersNULL



SCHANNELHashesMD5



Enable strong ciphers



Open the registry editor and locate HKLMSYSTEMCurrentControlSetControlSecurityProviders



Set "Enabled" dword to "0xffffffff" for the following registry keys



SCHANNELCiphersTriple DES 168/168



SCHANNELHashesSHA



SCHANNELKeyExchangeAlgorithmsPKCS



If the Enabled dword doesn't exist yet, please create the dword and set the value to "0x0" or "0xffffffff" as required.

Contact us



  • Worklab, Europort, Gibraltar

  • +350 540 73836

  • hello@wearehedgehog.com