Deprecated SSL and Weak Ciphers


#1

A vulnerability scan of a Linux server running the LDAP Proxy duoauthproxy will reveal the following vulnerabilities:

SSL/TLS: Deprecated SSLv2 and SSLv3 Protocol Detection
In addition to TLSv1.0+ the service is also providing the deprecated SSLv3 protocol and supports one or more ciphers. Those supported ciphers can be found in the ‘SSL/TLS: Report Weak and Supported Ciphers’ (OID: 1.3.6.1.4.1.25623.1.0.802067) NVT.

SSL/TLS: Report Weak Cipher Suites
’Weak’ cipher suites accepted by this service via the TLSv1.2 protocol:
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_SEED_CBC_SHA

After checking over the configs and documentation, I am not finding the necessary settings to remove SSLV2/3 nor update the weak ciphers.

Is there and advanced setting or something I am missing?


#2

Hi sd_dbray. At present, there is no option for customers to edit SSL/TLS configuration (both protocol versions and ciphersuites) in the Authentication Proxy.

We do plan to restrict SSL/TLS versions allowed by the proxy, but that is still a work-in-progress.


#3

Thanks for the update, appreciate it.


#4

Are there any updates on restricting SSL/TLS versions allowed by the proxy, our auditors are finding issues on some of our servers and want us to get these corrected.


#5

@sjj2,

Please contact Duo Support to discuss your auditor findings; we’d like more information.


#6

I’m having the same issues with our security department’s scans flagging for weak ciphers. We’ve reached out to DUO support, but we keep getting replies with solutions to harden a web server (from links to commonly found articles via a Google search). Is there a particular subject I should put in a ticket to get my concerns/issues to the correct individual/team? Also, is there a time frame for when this will be addressed? Thanks much.