Question

Locked

Failing Site Certifications For Ciphers

By Cudmasters Los ·
i keep getting this email that i am failing site certification, i am being told that this is failing.

Medium Strength Ciphers (>= 56-bit and < 112-bit key)
SSLv3
DES-CBC-SHA Enc=DES(56)

could use some help with this. I see that on xp, in regedit HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\

there are ciphers, hashes,keyexchangealgorithms, and protocols, and under these folders, there are extensions. On server 2008, there are no extensions. the reason i am mentioning the folders,is because i was told how to fix, however i have no clue, how to do this.This is the website for the fix. Weather it is 6.0, or 7.0 i don't know? With the curtis-lamasters post, do i create the folder since there is none?


*IIS 6.0*
http://support.microsoft.com/kb/245030/en-us
http://www.curtis-lamasters.com/2008/06/21/windows-iis-ssl-restrict-weak-ciphers/

*IIS 7.0*
http://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html*

Also, i am assuming that it is the server that is failing. I have a cisco 1811 router, and had them on the phone, they did telnet in the router to fix the problem, via remote session, i showed the e-mail error to them, and they don't know how to fix,said it was a server problem.


Any ideas,

Thanks

Thanks

This conversation is currently closed to new comments.

8 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

not enough information

by CG IT In reply to Failing Site Certificatio ...

is the error coming up on XP?

you might want to look at the client browser. Tools, Internet options, Advanced tab. Scroll to security. see what's checked for TLS/SSL. There is the option to warn about mismatched TLS/SSL certs. you can clear the check box.

Collapse -

Monitoring Agency

by Cudmasters Los In reply to not enough information

a moniotoring agency is saying that it is failing. since i have last posted, i have found out that they are saying that it is my cisco router 1811, i don't know how to use telnet, but use ccp.

Collapse -

monitoring agency is saying your Cisco router

by CG IT In reply to Monitoring Agency

TLS/SSL certs are failing?

never trust the other guy and never trust what the other guy says.


your Cisco 1811 is a router. It routes traffic. it has other capabilities, but without some idea of what it's supposed to do that requires TLS/SSL certs, tough to say it's the Cisco's problem. TLS/SSL are protocol. TLS/SSL established secure socket layer connections. Certs are used to verify that the machine or person is who they say they are.

So what I would ask the monitoring agency [whoever that is] who's cert are they saying is failing TLS/SSL? They should be able to provide you with the cert. The cert would tell you what encryption was used and really, the issuing agency of the cert is responsible.

oops correction: TLS/SSL is for secure communications not identity, certs are for identity...

Collapse -

LOL

by Cudmasters Los In reply to monitoring agency is sayi ...

Right! I hate the fact that these guys are monitoring us all the time. Our Fiscal Dept. had set up direct deposit with huntington bank. this bank hires a group called Security Metrics. They are a pain in the butt. First I had to secure a protocol on ssh. aperantley a certain version was not allowed to be used. then something else with port 23, now this.

Collapse -

Huntington, eh?

by seanferd In reply to LOL

Interesting. Seems like they are actually trying for security, but there may be more theater than security involved.

Yeah, port 23 is for telnet, which is totally insecure. It shouldn't matter if it open on your LAN side for configuration purposes, but if you don't use telnet, it should be closed. If it is open on the WAN/internet side, that is a bad security situation.

Collapse -

direct deposit, a bank, and a company network.

by CG IT In reply to LOL

unless your actually doing the financial transaction, which I doubt seriously because you don't say your a financial institution, sounds like a case of someone telling you something they know nothing about.

SSL is a secure protocol. there are different versions of SSH with different cryto in bits, but not sure how that works with your Cisco. Have to know what the Cisco is supposed to do for SSL other than what the router does. route traffic.

I can see using SSL version 2 or 3 but your aren't specifing that on your Cisco except to allow SSL traffic to and from the network.

the host requesting the SSL connection with another host would negotiate the secure socket layer. Same with certs. Hosts are assigned certs for identity.

If your Cisco router is establishing a direct, persistant, connection to your bank [???] I can see the security people being worried about open ports and holes, but doesn't sound like that's the case.

Collapse -

Cisco Router

by Cudmasters Los In reply to direct deposit, a bank, ...

Unfortunately i don't know enough about the cisco router to do this, i do see how to do this in the servers. When i talk to the people, they definately do know what they are talking about as far as telling the customer what the problem is. They send me links on how to fix the problem, as shown in the first post. But that is for the server, they are telling me that the problem is the router because they see the username and login of the router through telnet, or ssh, one of the two, forget which one. I had them on a three way call with cisco, and they were explaning the problem, to them. My case with cisco has been deferred to the security dept. of cisco. I haven't called them back yet. Here was what they e-mailed cisco, and myself.

Dave,
Following is the cipher that we found that should not be supported.

Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv3

DES-CBC-SHA Kx=RSA Au=RSA
Enc=DES(56) Mac=SHA1

thanks

Collapse -

They see the user name and login during telnet to the router?

by CG IT In reply to Cisco Router

humm so the security firm actually can telnet into the router from outside? If so, I agree that's a security concern, however, the context of the security concern needs to clear.

Is the security firm indicating a potential hole in which intruders might gain access to the network? If so, then is the need for telnet via outside into the network necessary? If it is not, then the security concern can be addressed simply by denying or turning off the feature.

If the need for telnet into the network from outside is required, then it is possible that the version of IOS your running might need to be upgraded to take advantage of newer IOS features and enhancements such as stronger encryption on the line & VTY.

The other area is accessing the web based features of the router. Again, the context of the security concern needs to be clear. Is the concern an outside intruder can gain access to the router via SSL web broswer based configuration? If so, then is there a need to access the router in this manner. If the security concern is access from the inside, again, maybe the version of IOS your running has a newer version with features and enhancements that have stronger encryption.

Lastly, what are the security compliance requirements? While the security firm audit might find potential security concerns, are you actually required by contract to meet the higher security requirements?

I've run into this where the contract specifies a security level to meet, but because of changing security, what was secure might not be as secure, thus an audit agency highlights the potential security concern. Yet the contract has no provision for this. Changes in the scope of the contract, which higher security than initially contracted for falls under, does require renegotiation. Something for the legal department to review.

Back to Networks Forum
8 total posts (Page 1 of 1)  

Related Discussions

Related Forums