Thank you all.
I edited Connector node in server.xml file for my tomcat installation to include below cipher code:
ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
This should remove the "Weak Cipher Suites" compliance error for Tomcat in the VA scan.
Had to do this I was unable to find the ssl.conf file.
Thanks, Anumeha
On Wed, Jul 31, 2013 at 9:18 PM, Alexander Dalloz ad+lists@uni-x.orgwrote:
Am 31.07.2013 10:52, schrieb Anumeha Prasad:
Hi,
Following 2 vulnerabilities were detected in VA scan required for PCI compliance:
- SSL Weak Cipher Suites Supported
- SSL Medium Strength Cipher Suites Supported
I'm using CentOS 5.8 with open ssl version "openssl-0.9.8e-22.el5_8.4".
Any
idea how to get rid of this?
Thanks, Anumeha
You have far more security issues with your system than just providing weak SSL ciphers, because you are not up to date. The current CentOS 5 minor release is 9 with a fair amount of additional bug and security updates.
Update ASAP (`yum update').
Alexander
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos