pramod1
asked on
SQUD PROXY SERVER, UNIX, SLL/HTTPS
we have squid proxy server.
we recently ran a scan and it returned a new vulnerability with regards to SSL/TLS, which is known as the “Sweet32” Birthday Attack. The conclusion is that DES and 3DES are weak ciphers and should be disabled on HTTPS servers. This does not affect the SSL Certificates – they do not need to be re-issued.
We have 8 systems that are affected by this. can we have determined if DES and 3DES can be disabled on those systems or any other plan of action.
https://blog.digicert.com/sweet32-birthday-attack-what-you-need-to-know/
https://sweet32.info
we recently ran a scan and it returned a new vulnerability with regards to SSL/TLS, which is known as the “Sweet32” Birthday Attack. The conclusion is that DES and 3DES are weak ciphers and should be disabled on HTTPS servers. This does not affect the SSL Certificates – they do not need to be re-issued.
We have 8 systems that are affected by this. can we have determined if DES and 3DES can be disabled on those systems or any other plan of action.
https://blog.digicert.com/sweet32-birthday-attack-what-you-need-to-know/
https://sweet32.info
ASKER
it is a Linux box web proxy server which redirects email traffic to our exchange server
Where did the SSL check come up? Is the proxy running as a reverse proxy on which an DSL connection terminates and is then forwarded to exchange?
Or you ave an users use it as a proxy, and you have a mailserver that functions as a scanning/anti-spam gateway to your exchange.
You have to identify each service (port) where the notice came up and adjust the secure portion configuration to restrict which protocols, cipher it offers.
It could be on your exchange, which using registry edit schannel can restrict which protocols, ciphers are available...
Or you ave an users use it as a proxy, and you have a mailserver that functions as a scanning/anti-spam gateway to your exchange.
You have to identify each service (port) where the notice came up and adjust the secure portion configuration to restrict which protocols, cipher it offers.
It could be on your exchange, which using registry edit schannel can restrict which protocols, ciphers are available...
ASKER
the proxy is running as a reverse proxy on which an DSL connection terminates and is then forwarded to exchange?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You've listed too many thing that make it difficult to figure out what you have.
SSL/ciphers are controlled through openssl
What functions Does the system provide.
If you have a squid reverse proxy, web server look for OpenSSL disable vulnerable protocols ciphers.