Results 1 to 3 of 3

Thread: SSL Anonymous Cipher Suites Supported

  1. #1
    Join Date
    Dec 2011
    Posts
    4
    Rep Power
    3

    Default SSL Anonymous Cipher Suites Supported

    Nessus reported the following threat from Zimbra. Does anyone know how to correct?

    Thanks.

    Summary:
    SSL Anonymous Cipher Suites Supported

    Risk: High (3)
    Type: Nessus
    Port: 465
    Protocol: TCP
    Threat ID: 131705

    Information From Target:
    The remote server supports the following anonymous SSL ciphers :

    ADH-DES-CBC3-SHA Kx=DH Au=None Enc=3DES(168) Mac=SHA1
    ADH-RC4-MD5 Kx=DH Au=None Enc=RC4(128) Mac=MD5
    ADH-DES-CBC3-SHA Kx=DH Au=None Enc=3DES(168) Mac=SHA1
    ADH-AES128-SHA Kx=DH Au=None Enc=AES(128) Mac=SHA1
    ADH-AES256-SHA Kx=DH Au=None Enc=AES(256) Mac=SHA1
    ADH-CAMELLIA128-SHA Kx=DH Au=None Enc=Camellia(128) Mac=SHA1
    ADH-CAMELLIA256-SHA Kx=DH Au=None Enc=Camellia(256) Mac=SHA1
    ADH-RC4-MD5 Kx=DH Au=None Enc=RC4(128) Mac=MD5
    n/a Kx=DH Au=None Enc=SEED(128) Mac=SHA1

    The fields above are :

    {OpenSSL ciphername}
    Kx={key exchange}
    Au={authentication}
    Enc={symmetric encryption method}
    Mac={message authentication code}
    {export flag}

    Solution:
    Reconfigure the affected application if possible to avoid use of weak
    ciphers.


    Details:

    The remote host supports the use of anonymous SSL ciphers. While this enables an administrator to set up a service that encrypts traffic without having to generate and configure SSL certificates, it offers no way to verify the remote host's identity and renders the service vulnerable to a man-in-the-middle attack.

  2. #2
    Join Date
    Nov 2009
    Posts
    38
    Rep Power
    5

    Default

    I also have same issue.

  3. #3
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,285
    Rep Power
    10

    Default

    This is a bogus report. I suggest you contact Nessus and ask them to fix their software. This does not affect SMTP/SMTPS (which is what port 465 is).
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

Similar Threads

  1. SSL Server Allows Anonymous Authenticaion Vulnerability
    By eldon96 in forum Administrators
    Replies: 9
    Last Post: 05-15-2013, 01:47 PM
  2. SSL certificate related vulnerability
    By k_k in forum Administrators
    Replies: 3
    Last Post: 04-11-2011, 06:30 AM
  3. Disable SSL on the Admin Port 7071
    By rasputin in forum Installation
    Replies: 2
    Last Post: 04-06-2008, 03:29 AM
  4. Help with tomcat ssl errors...
    By sgtstadanko in forum Administrators
    Replies: 4
    Last Post: 03-19-2007, 09:13 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •