Deprecated SSL and Weak Ciphers

sd_dbray · ‎10-05-2017

A vulnerability scan of a Linux server running the LDAP Proxy duoauthproxy will reveal the following vulnerabilities:

SSL/TLS: Deprecated SSLv2 and SSLv3 Protocol Detection
In addition to TLSv1.0+ the service is also providing the deprecated SSLv3 protocol and supports one or more ciphers. Those supported ciphers can be found in the ‘SSL/TLS: Report Weak and Supported Ciphers’ (OID: 1.3.6.1.4.1.25623.1.0.802067) NVT.

SSL/TLS: Report Weak Cipher Suites
’Weak’ cipher suites accepted by this service via the TLSv1.2 protocol:
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_SEED_CBC_SHA

After checking over the configs and documentation, I am not finding the necessary settings to remove SSLV2/3 nor update the weak ciphers.

Is there and advanced setting or something I am missing?

mkorovesisduo · ‎10-05-2017

Hi sd_dbray. At present, there is no option for customers to edit SSL/TLS configuration (both protocol versions and ciphersuites) in the Authentication Proxy.

We do plan to restrict SSL/TLS versions allowed by the proxy, but that is still a work-in-progress.

sd_dbray · ‎10-13-2017

Thanks for the update, appreciate it.

sjj2 · ‎08-30-2018

Are there any updates on restricting SSL/TLS versions allowed by the proxy, our auditors are finding issues on some of our servers and want us to get these corrected.

DuoKristina · ‎08-31-2018

@sjj2,

Please contact Duo Support to discuss your auditor findings; we’d like more information.

Duo, not DUO.

jhoff01 · ‎10-29-2018

I’m having the same issues with our security department’s scans flagging for weak ciphers. We’ve reached out to DUO support, but we keep getting replies with solutions to harden a web server (from links to commonly found articles via a Google search). Is there a particular subject I should put in a ticket to get my concerns/issues to the correct individual/team? Also, is there a time frame for when this will be addressed? Thanks much.

timmy3 · ‎01-02-2019

Any update from duo support? I installed the latest version for duoproxy but the weak ciphers are still there. I would like to disable sslv3 and TLSv1.0 as well

[root@DMZ-LB02 webvis]# nmap --script ssl-enum-ciphers -p 636 192.168.xxx.xxx

timmy3 · ‎01-03-2019

I managed to implement a temporary solution. I simply bind it to localhost and have haproxy sitting infront of it to handle SSL/TLS configuration (both protocol versions and ciphersuites)

If you are running more than one instance of duoproxy or multiple listening IP on one instance of a single server, simply bind each of them to 127.0.0.1, 127.0.0.2, 127.0.0.3.

This solution will keep the vulnerability scanning tool happy. Hopefully it helps. If you need more help i can provide the configuration of haproxy and duoproxy

Cooper1 · ‎01-21-2019

I see the proxy docs now say you can control the ciphers and TLS/SSL version however I’m not able to get a clean scan after adjusting those settings. Is it still the case that those aren’t user-tunable?

DuoKristina · ‎01-22-2019

@Cooper,

Did you update your Authentication Proxy version to 2.12.0? Did you cycle the proxy service after editing the .cfg file?

Duo, not DUO.

Cooper1 · ‎01-22-2019

I thought I was at at least 2.12.0 but when I checked I wasn’t. I’m now trying to remember how I installed the proxy as non-root so that I can upgrade.

sd_dbray · ‎01-22-2019

@Cooper
Thank you very much update. I downloaded the latest, updated the config, re-ran my OpenVAS scans, and no more vulnerabilities detected.

Thanks!