SSL Medium & Weak Cipher Suites Supported

Document ID : KB000049857
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

User's Information Security Risk department has just performed a security test to eHealth 6.2 and the following vulnerability is reported:

SSL Medium & Weak Cipher Suites Supported

The eHealth host supports the use of SSL ciphers that offer either weak encryption. This is considerably easier to exploit if the attacker is on the same physical network.

Solution:

If the customer is concerned about SSLv2, our SSL configuration does provide the disable of SSLv2 & the customer should enable this feature during SSL configuration in eHealth.

If you read the 'CA eHealth, Command and Environment Variables Reference Guide', you will find the method for disabling SSLv2.

  1. SSL Version 2 (v2) Protocol Detection
  2. SSL Anonymous Cipher Suites Discovery

To disable support for all SSL version 2.0 ciphers and specify that only SSL version 3.0 ciphers are supported, run the command nhWebProtocol with the -disableSSLv2 parameter. For example:

nhWebProtocol -mode https -hostname abc.ca.com -disableSSLv2

If the customer had previously configured SSL without specifying -disableSSLv2, the command would need to be run again.

The 'nhWebProtocol -disableSSLv2' command generates the parameter:

SSLCipherSuite ALL

In order to address SSL anonymous ciphers & medium & weak ciphers, the parameter should be the following (as recommended at: http://blog.techstacks.com/2008/08/apache-configuration-and-pci-compliance_18.html):

SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

However, in the latest eHealth to date 6.2.2 there is no mechanism to generate SSLCipherSuite with the options listed, but this will be an enhancement for future releases.