Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Bachan
Contributor
Jump to solution

Vulnerability-ssl-weak-message-authentication-code-algorithms for Port 8211

Host : Management Server(SMS)

OS : R80.40 

Port:8211

Vulnerability_ID :ssl-weak-message-authentication-code-algorithms

Vulnerability_NAME : TLS/SSL Weak Message Authentication Code Cipher Suites

Vulnerability_Proof: Negotiated with the following insecure cipher suites:     * TLS 1.2 ciphers:                                                                                    * TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA       * TLS_RSA_WITH_AES_128_CBC_SHA

Vulnerability_Solution: Disable any weak HMAC algorithms within the TLS configurationThe following recommended configuration provides a higher level of security. This configuration is compatible with Firefox 27; Chrome 22; IE 11; Opera 17 and Safari 9. SSLv2; SSLv3; TLSv1 and TLSv1.1 protocols are not recommended in this configuration. Instead use TLSv1.2 protocol.Refer to your server vendor documentation to apply the recommended cipher configuration:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!SHA1:!DSS

Port 8211 uses TLS 1.2 .Attached file for reference.

 

We have checked the sshd.config file httpd all looks fine . Can you please let us know what needs to be tweaked here?

 

 

0 Kudos
1 Solution

Accepted Solutions
Wei_Zhang
Employee
Employee

Kindly please refers to sk181683 and a hotfix is needed to disable the weak HMAC algorithms

https://support.checkpoint.com/results/sk/sk181683

View solution in original post

9 Replies
PhoneBoy
Admin
Admin
0 Kudos
Bachan
Contributor

As per the attached screen shot, we are already on TLS1.2, but still getting the above vulnerability on scan report.

0 Kudos
PhoneBoy
Admin
Admin

Recommend engaging with the TAC: https://help.checkpoint.com 

0 Kudos
the_rock
Legend
Legend

I was going to suggest same sk as Phoneboy, but since you said its already on TLS 1.2, then best to contact TAC to verify.

Andy

0 Kudos
the_rock
Legend
Legend

Can you confirm how below is set in global properties?

Andy

 

Screenshot_1.png

0 Kudos
Bachan
Contributor

Both are set to TLS 1.2 .

0 Kudos
the_rock
Legend
Legend

Then I would say contact TAC, for sure.

0 Kudos
the_rock
Legend
Legend

Please let us know what they say, as the answer can help others with the same issue.

Andy

0 Kudos
Wei_Zhang
Employee
Employee

Kindly please refers to sk181683 and a hotfix is needed to disable the weak HMAC algorithms

https://support.checkpoint.com/results/sk/sk181683

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events