Fixing SSL Null Cipher Suites Supported

Nessus Summary

Nessus Plugin ID: 66848

CVSS v3.0 Base Score: 5.3

Nessus Description:

The remote host supports the use of SSL ciphers that offer no encryption at all. Note: This is considerably easier to exploit if the attacker is on the same physical network.


How to Fix

Null cipher suites is where a zero level of encryption is acceptable. This is totally unacceptable in any environment and should be fixed as soon as possible.

Apache Fix

The follow configuration should be added to the security.conf file to apply globally or to virtual host:

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
SSLCompression off

IIS Fix

The Microsoft Knowledge Base article "How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll" describes how to enable just the FIPS 140 algorithms. Here's a summary:

Disable weak ciphers

Open the registry editor and locate HKLMSYSTEMCurrentControlSetControlSecurityProviders

Set "Enabled" dword to "0x0" for the following registry keys:

SCHANNELCiphersRC4 128/128
SCHANNELCiphersRC2 128/128
SCHANNELCiphersRC4 64/128
SCHANNELCiphersRC4 56/128
SCHANNELCiphersRC2 56/128
SCHANNELCiphersRC4 40/128
SCHANNELCiphersRC2 40/128
SCHANNELCiphersNULL
SCHANNELHashesMD5

Enable strong ciphers

Open the registry editor and locate HKLMSYSTEMCurrentControlSetControlSecurityProviders

Set "Enabled" dword to "0xffffffff" for the following registry keys

SCHANNELCiphersTriple DES 168/168
SCHANNELHashesSHA
SCHANNELKeyExchangeAlgorithmsPKCS

If the Enabled dword doesn't exist yet, please create the dword and set the value to "0x0" or "0xffffffff" as required.