Fixing Weak Cipher Suites

Fixing Weak Cipher Suites

Posted by Peter Bassill on 01/01/2015


Nessus Summary

Nessus ID: 26928

CVSS v3.0 Base Score: 5.3

Nessus Description:

The remote host supports the use of SSL ciphers that offer weak encryption.Note: This is considerably easier to exploit if the attacker is on the same physical network.

How to Fix

This vulnerability is cased by a weak strength cipher being present in the SSL cipher suite. Weak strength is defined within Nessus as any cipher that is less than 64-bit. Fixing this is simple.

If you are unable to fix it or dont have the time, we can do it for you. Find out more information here or buy a fix session now for £149.99 plus tax using the button below.



Purchase a fix now



Apache Fix

The follow configuration should be added to the security.conf file to apply globally or to virtual host:

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

SSLHonorCipherOrder On

SSLCompression off

IIS Fix

The Microsoft Knowledge Base article "How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll" describes how to enable just the FIPS 140 algorithms. Here's a summary:

Disable weak ciphers

Open the registry editor and locate HKLMSYSTEMCurrentControlSetControlSecurityProviders

Set "Enabled" dword to "0x0" for the following registry keys:

SCHANNELCiphersRC4 128/128

SCHANNELCiphersRC2 128/128

SCHANNELCiphersRC4 64/128

SCHANNELCiphersRC4 56/128

SCHANNELCiphersRC2 56/128

SCHANNELCiphersRC4 40/128

SCHANNELCiphersRC2 40/128

SCHANNELCiphersNULL

SCHANNELHashesMD5

Enable strong ciphers

Open the registry editor and locate HKLMSYSTEMCurrentControlSetControlSecurityProviders

Set "Enabled" dword to "0xffffffff" for the following registry keys

SCHANNELCiphersTriple DES 168/168

SCHANNELHashesSHA

SCHANNELKeyExchangeAlgorithmsPKCS

If the Enabled dword doesn't exist yet, please create the dword and set the value to "0x0" or "0xffffffff" as required.

Contact us



  • Worklab, Europort, Gibraltar

  • +350 540 73836

  • hello@wearehedgehog.com