Fixing SSL Medium Strength Cipher Suites Supported


This vulnerability is cased by a medium strength cipher being present in the SSL cipher suite. Medium strength is defined within Nessus as any cipher that is between 64-bit and 112-bit or is 3DES.

Fixing SSL Medium Strength Cipher Suites Supported

Posted on 2009-01-01 by Peter Bassill in category Guides.


Guides   Remediation  


Nessus Summary
Nessus Plugin ID: 42873
CVSS v3.0 Base Score: 5.3


Nessus Description:
The remote host supports the use of SSL ciphers that offer medium strength encryption. Nessus regards medium strength as any encryption that uses key lengths at least 64 bits and less than 112 bits, or else that uses the 3DES encryption suite. Note that it is considerably easier to circumvent medium strength encryption if the attacker is on the same physical network.


How to Fix
This vulnerability is cased by a medium strength cipher being present in the SSL cipher suite. Medium strength is defined within Nessus as any cipher that is between 64-bit and 112-bit or is 3DES.


If you are unable to fix it or dont have the time, we can do it for you. Find out more information here or buy a fix session now for £149.99 plus tax using the button below.


Purchase a fix now
Apache Fix
The follow configuration should be added to the security.conf file to apply globally or to virtual host:


SSLCipherSuite EECDH AESGCM:EDH AESGCM:AES256 EECDH:AES256 EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
SSLCompression off
IIS Fix
The Microsoft Knowledge Base article "How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll" describes how to enable just the FIPS 140 algorithms. Here's a summary:


Disable weak ciphers


Open the registry editor and locate HKLMSYSTEMCurrentControlSetControlSecurityProviders


Set "Enabled" dword to "0x0" for the following registry keys:


SCHANNELCiphersRC4 128/128
SCHANNELCiphersRC2 128/128
SCHANNELCiphersRC4 64/128
SCHANNELCiphersRC4 56/128
SCHANNELCiphersRC2 56/128
SCHANNELCiphersRC4 40/128
SCHANNELCiphersRC2 40/128
SCHANNELCiphersNULL
SCHANNELHashesMD5
Enable strong ciphers


Open the registry editor and locate HKLMSYSTEMCurrentControlSetControlSecurityProviders


Set "Enabled" dword to "0xffffffff" for the following registry keys


SCHANNELCiphersTriple DES 168/168
SCHANNELHashesSHA
SCHANNELKeyExchangeAlgorithmsPKCS
If the Enabled word doesn't exist yet, please create the word and set the value to "0x0" or "0xffffffff" as required.


Postini Alternative



Get in Touch

Kindly fill the form and we will get back to you.

Contact us if you are experiencing a Cyber IncidentHaving a Cyber Incident?