Patch SSL Vulnerabilities in your Browser and Server

Patch SSL Vulnerabilities in your Browser and Server

Use SSL Labs to test your Browser and Server for SSL vulnerabilities.  The most common vulnerabilities and how to patch them are mentioned below:

1) Certificate uses weak hashing algorithm (example: MD5, SHA-1, etc)

Get new SSL certificates issued with the latest hashing algorithm (example: SHA-2, SHA-3)

2) SSL v2 / v3, which are vulnerable versions of SSL, are supported by the browser / server.

Update your browser to the latest version.

To mitigate server side SSL vulnerabilities, please refer to https://wiki.mozilla.org/Security/Server_Side_TLS  to learn about the best SSL configuration for common server platforms.

3) Forward Secrecy is not enabled.

The ordering of a ciphersuite is very important in deciding which algorithms are going to be selected in priority. The recommendation in the mozilla link above prioritizes algorithms that provide perfect forward secrecy.

4) Weak cipher suites are enabled.

Refer to the recommendations in the mozilla link above for common servers.

4) Vulnerable to SSL Fallback attack.

Upgrade to the latest version of OpenSSL which supports the TLS_FALLBACK_SCSV implementation which prevents an SSL protocol downgrade attack.

Note: For IBM HTTP Servers, refer to this link to learn more about how to configure SSL.  The commands are not covered in the mozilla link above.  But, the idea is to learn from the mozilla link and implement using the IBM proprietary directives mentioned in the IBM link.

References

http://unix.stackexchange.com/questions/162478/how-to-disable-sslv3-in-apache

http://askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566

http://stackoverflow.com/questions/26406586/how-to-enable-tls-fallback-scsv-on-apache

https://www-01.ibm.com/support/knowledgecenter/linuxonibm/liaag/wascrypt/l0wscry00_configihssslsupport.htm

http://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.ihs.doc/ihs/rihs_ssldirs.html

https://developer.ibm.com/answers/questions/210626/does-ibm-http-server-support-apache-directive-sslh.html

Patch SSL Vulnerabilities in your Browser and Server

Leave a Reply

Your email address will not be published. Required fields are marked *