0

A VA/PT report shows the following for my PKI:

The SSL service permits the use of one or more anonymous ciphers, which an attacker may take advantage of via a man in the middle attack. The anonymous ciphers should be disabled.

What does it mean and how do I mitigate it?

Anders
  • 64,406
  • 24
  • 178
  • 215
Rakesh
  • 31
  • 1
  • 1
  • 3
  • 1
    see [SSL Server Allows Anonymous Authentication Vulnerability](http://security.stackexchange.com/questions/141427/ssl-server-allows-anonymous-authentication-vulnerability/141430#141430) and [How are anonymous cipher suites exploited](http://security.stackexchange.com/questions/133269/how-are-anonymous-cipher-suites-exploited) – Steffen Ullrich Nov 03 '16 at 10:36

1 Answers1

1

Since your question is very vague, I can but guess.

Anonymous cipher means, that the key exchange happens without any authentication taking please, meaning the no (server) certificate is used in the process. But without any authentication, the DH key exchange can easily be attacked by a MitM.

To mitigate this, you have to reconfigure your server software, whatever it may be. Look for the configuration setting where you can enter the allowed cipher suites. if you just want to get rid of the anonymous cipers, you must only disallow the DH_ANON mechanism. Preferably it would be, to put in a whitelist of acceptable cipher suites.

A good guide for the specific settings of popular server software plus a list of acceptable cipher suites is provided by the friendly people of bettercrypto

mat
  • 1,243
  • 7
  • 14
  • 1
    Choice of SSLv3 and SSLv2 vs. TLS 1.x are unrelated to use of anonymous ciphers – Steffen Ullrich Nov 03 '16 at 10:34
  • I put it there, because I found it a sensible thing to do, since he has to update his server configuration anyway. But you are correct of course, it doesn't really matter for the question asked. I removed that part. – mat Nov 03 '16 at 10:39