VMware Communities: Message List - SSL Server support weak encryption

Re: SSL Server support weak encryption

Texiwill — Tue, 11 Aug 2009 16:02:40 GMT

Hello,

You could change it in these files.... Not sure what would happen but do not think it is an issue.....

/usr/lib/vmware/webAccess/tomcat/*/conf/server.xml

However, not everything uses tomcat either so there are other concerns as well. This just fixes it for webAccess which includes anything using the VI-SDK, etc.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

Re: SSL Server support weak encryption

glopglop — Mon, 10 Aug 2009 18:54:33 GMT

Openssl recompile is not needed to disable weak ciphers. This is usally a server side option/configuration of the application using openssl.

For example, in Apache/mod_ssl this is controlled by SSLCipherSuite parameter, in Tomcat, this is controlled by ciphers parameter in the server.xml config file, ....

For VMware there seems to be no way to configure this but this is currently addressed according the rrandel previous post.

Re: SSL Server support weak encryption

glopglop — Mon, 10 Aug 2009 18:45:58 GMT

I tend to agree with you that the risk is minimal but some security officers/auditors like to have "clean" scan results.

It is good to know that this is being addressed as this will avoid lenghty discussions with auditors in the future.

Re: SSL Server support weak encryption

Texiwill — Mon, 10 Aug 2009 15:09:34 GMT

Hello,

The only way I know to do this would be to recompile openSSL without those ciphers. I am glad the test is more than just looking at version numbers. But as Rob stated, your management network should be protected with a well defined set of tools connecting to it.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

Re: SSL Server support weak encryption

rrandell — Mon, 10 Aug 2009 14:51:14 GMT

It is the case that these weaker ciphers are currently supported. This is being addressed, but IMHO the risk is VERY minimal. The fact is that the only way this risk could be realized is if one of your administrators used a browser that only supported the weak ciphers. The VIC, nor do most modern browsers support weak ciphers. From my perspective, this is more of a concern for a public facing website to allow this, since you don't necessarily know what the "users" of the website are using for their browser. In a corporate environment, you should be able to control what browser your administrators are using which will completely mitigate this risk.

Re: SSL Server support weak encryption

glopglop — Mon, 10 Aug 2009 07:50:30 GMT

SSL Server Weak encryption is not done by checking openssl version but by simply trying to open a connection using a weak cipher.

For example on ESX 3.5, the following weak ciphers are detected (56 bit encryption).

CIPHER	KEY-EXCHANGE	AUTHENTICATION	MAC	ENCRYPTION(KEY-STRENGTH)	GRADE
SSLv3 WEAK CIPHERS
EXP1024-RC4-SHA	RSA(1024)	RSA	SHA1	RC4(56)	LOW
EXP1024-DES-CBC-SHA	RSA(1024)	RSA	SHA1	DES(56)	LOW
DES-CBC-SHA	RSA	RSA	SHA1	DES(56)	LOW
TLSv1 WEAK CIPHERS
EXP1024-RC4-SHA	RSA(1024)	RSA	SHA1	RC4(56)	LOW
EXP1024-DES-CBC-SHA	RSA(1024)	RSA	SHA1	DES(56)	LOW
DES-CBC-SHA	RSA	RSA	SHA1	DES(56)	LOW

You can test it by running:

openssl s_client -connect <hostname of ESX console>:443 -cipher DES-CBC-SHA

If you are getting an answer, then the weak cipher is supported.

So the question remains open. Is there a way to we enforce only strong cipher.

Re: SSL Server support weak encryption

Texiwill — Wed, 01 Jul 2009 17:33:37 GMT

Hello,

Moved to the Security Forum.

Welcome to the forums. The big issue about this question, and it actually comes up a lot, is how the 'tool' you are using is finding this vulnerability. I imagine it is looking at the version of OpenSSL installed on the host and not actually trying to run an exploit. If it is looking at the version # then it is a false positive, as like RedHat, VMware backports changes into OpenSSL without changing the version number of the package.

If it is testing the certificates in use, then replace the self-signed certificates with your own signed certificates.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

SSL Server support weak encryption

MAD1969 — Wed, 01 Jul 2009 09:30:56 GMT

Completed a vulnerability study on our ESX 3.5 environment and its high lighted (SSL (Sercure Socket Layer) Server support weak encryption keys, which are defined as encryption keys with lengths of less 128 bits. Message encypted with weak encryption keys are relatively easy for an unauthorized user decrpt) on port 443.

I have looked at the VMware Secuirty Hardening document and it say that it Must always be available.

Should this be left allow, or is there anything I can do to correct this?

Thanks