SSL Vulnerabilites

SSL Server allows Anonymous Authentication Vulnerability

This basically means that the client will be able to connect to the Server without using any authentication algorithm. Some SSL Ciphers allow anonymous authentication. Choosing the right cipher suites as explained in an earlier post, and disabling null cipher from the admin console can help mitigate this risk.

SSL Server Allows Clear text Communication Vulnerability

This vulnerability depends upon the cipher suites used, as some cipher suites allow clear text communication. If no cipher suite is specifically mentioned in the config.xml file, then the cipher suites that allow clear text communication are enabled (as well as those that do not allow clear text).

To prevent clear text communications, avoid TLS_RSA_WITH_NULL_MD5 and TLS_RSA_WITH_NULL_SHA, as these two cipher suites have 0 Symmetric Key Strength. For a list of allowed cipher suites, see the previous post. The values assigned here will allow 56 as well 128 bit encryption.

TLS Protocol Session Renegotiation Security Vulnerability

The details of the vulnerability can be found here
If u have applied the latest Critical Patch Update, you should b fine.
Find more details here

Latest Comments

  1. Vinod Sharma June 7, 2010
    • admin June 7, 2010
  2. Vinod Sharma June 7, 2010
  3. sudhiendra April 11, 2011
    • Administrator April 30, 2011
  4. vikas October 15, 2012

Leave a Reply