Deprecated SSL and Weak Ciphers


#1

A vulnerability scan of a Linux server running the LDAP Proxy duoauthproxy will reveal the following vulnerabilities:

SSL/TLS: Deprecated SSLv2 and SSLv3 Protocol Detection
In addition to TLSv1.0+ the service is also providing the deprecated SSLv3 protocol and supports one or more ciphers. Those supported ciphers can be found in the ‘SSL/TLS: Report Weak and Supported Ciphers’ (OID: 1.3.6.1.4.1.25623.1.0.802067) NVT.

SSL/TLS: Report Weak Cipher Suites
’Weak’ cipher suites accepted by this service via the TLSv1.2 protocol:
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_SEED_CBC_SHA

After checking over the configs and documentation, I am not finding the necessary settings to remove SSLV2/3 nor update the weak ciphers.

Is there and advanced setting or something I am missing?


#2

Hi sd_dbray. At present, there is no option for customers to edit SSL/TLS configuration (both protocol versions and ciphersuites) in the Authentication Proxy.

We do plan to restrict SSL/TLS versions allowed by the proxy, but that is still a work-in-progress.


#3

Thanks for the update, appreciate it.


#4

Are there any updates on restricting SSL/TLS versions allowed by the proxy, our auditors are finding issues on some of our servers and want us to get these corrected.


#5

@sjj2,

Please contact Duo Support to discuss your auditor findings; we’d like more information.


#6

I’m having the same issues with our security department’s scans flagging for weak ciphers. We’ve reached out to DUO support, but we keep getting replies with solutions to harden a web server (from links to commonly found articles via a Google search). Is there a particular subject I should put in a ticket to get my concerns/issues to the correct individual/team? Also, is there a time frame for when this will be addressed? Thanks much.


#7

Any update from duo support? I installed the latest version for duoproxy but the weak ciphers are still there. I would like to disable sslv3 and TLSv1.0 as well

[root@DMZ-LB02 webvis]# nmap --script ssl-enum-ciphers -p 636 192.168.xxx.xxx

Starting Nmap 6.40 ( http://nmap.org ) at 2019-01-02 17:06 +08
Nmap scan report for xxxxxx (192.168.xxx.xxxx)
Host is up (0.00038s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_RSA_WITH_IDEA_CBC_SHA - weak
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_SEED_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_RSA_WITH_IDEA_CBC_SHA - weak
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_SEED_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_RSA_WITH_IDEA_CBC_SHA - weak
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_SEED_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_RSA_WITH_IDEA_CBC_SHA - weak
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_SEED_CBC_SHA - strong
| compressors:
| NULL
|_ least strength: weak


#8

I managed to implement a temporary solution. I simply bind it to localhost and have haproxy sitting infront of it to handle SSL/TLS configuration (both protocol versions and ciphersuites)

If you are running more than one instance of duoproxy or multiple listening IP on one instance of a single server, simply bind each of them to 127.0.0.1, 127.0.0.2, 127.0.0.3.

This solution will keep the vulnerability scanning tool happy. Hopefully it helps. If you need more help i can provide the configuration of haproxy and duoproxy


#9

I see the proxy docs now say you can control the ciphers and TLS/SSL version however I’m not able to get a clean scan after adjusting those settings. Is it still the case that those aren’t user-tunable?


#10

@Cooper,

Did you update your Authentication Proxy version to 2.12.0? Did you cycle the proxy service after editing the .cfg file?


#11

@Cooper
Thank you very much update. I downloaded the latest, updated the config, re-ran my OpenVAS scans, and no more vulnerabilities detected.

Thanks!


#12

I thought I was at at least 2.12.0 but when I checked I wasn’t. :frowning: I’m now trying to remember how I installed the proxy as non-root so that I can upgrade.