When user performs a security test to eHealth 6.2 and the following vulnerability is reported:
SSL Anonymous Cipher Suites Discovery
The eHealth host supports the use of anonymous SSL ciphers. While this enables an administrator to set up a service that encrypts traffic without having to generate and configure SSL certificates, it offers no way to verify the remote host's identity and renders the service vulnerable to a man-in-the-middle attack.
eHealth's SSL configuration does provide the disable of SSLv2 if it is a concern, user should enable this feature during SSL configuration in eHealth.
If user reads the 'CA eHealth, Command and Environment Variables Reference Guide', user will find the method for disabling SSLv2.
- SSL Version 2 (v2) Protocol Detection
- SSL Anonymous Cipher Suites Discovery
To disable support for all SSL version 2.0 ciphers and specify that only SSL version 3.0 ciphers are supported, run the command nhWebProtocol with the -disableSSLv2 parameter. For example:
nhWebProtocol -mode https -hostname abc.ca.com -disableSSLv2
If the customer had previously configured SSL without specifying -disableSSLv2, the command would need to be run again.
The 'nhWebProtocol -disableSSLv2' command generates the parameter:
In order to address SSL anonymous ciphers & medium & weak ciphers, the parameter should be the following (as recommended at http://blog.techstacks.com/2008/08/apache-configuration-and-pci-compliance_18.html):
However, in the latest eHealth to date 6.2.2 there is no mechanism to generate SSLCipherSuite with the options listed, but this will be an enhancement for future releases.