How to fix SSL Medium Strength Cipher Suites Supported (SWEET32) Vulnerability...


How does it happen..?

The SSL Medium Strength Cipher Suites Supported vulnerability is a security risk that can occur when a server supports the use of medium-strength encryption ciphers. These ciphers are considered to be less secure than stronger ciphers, and they can be more easily broken by attackers.
 
One example of a medium-strength cipher is RC4, which was first developed in the 1980s. RC4 is a Symmetric cipher, which means that the same key is used to encrypt and decrypt data. RC4 is relatively fast, but it is also relatively weak. In 2013, researchers discovered a new attack against RC4 that could be used to break the cipher in a matter of hours.

If a server supports the use of medium-strength ciphers, then an attacker could potentially exploit this vulnerability to break the encryption and gain access to sensitive data. This could include passwords, credit card numbers, or other personal information.


Mitigation...

We will offer two approaches to address this vulnerability, and you can select the method that aligns with your specific environmentIf you employ a self-managed hosting solution with a Linux server, Method 1 is applicable. similarly, if you utilize hosting services provided by a service provider, Method 2 is suitable.


Method 1: On the Server side

You are required to configure your server to use strong ciphers. You can achieve this by making changes to the configuration file of the server.

  • Locate your server config file

The location of the server config file depends on the web server software you are using.
Here are some examples of where you can find the server config file for some popular server software.


Apache/etc/apache2/apache2.conf
Nginx/etc/nginx/nginx.conf

  • Identify strong ciphers 

You need to identify strong and recommended ciphers according to the software your server uses. Most providers of web server software offer official documentation to assist in configuring and enabling strong encryption ciphers.


Alternatively, you have the option to use the Mozilla SSL Generator, which provides a recommended, standardized SSL configuration based on your particular web server version.

You have the option to input information about your server software and environment into the portal. In response, the portal will furnish you with a sample configuration file that aligns with the details you've provided
We will use the Apache configuration file generated by the Mozilla SSL generator for the remaining setup.
 
# generated 2023-08-22, Mozilla Guideline v5.7, Apache 2.4.41, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1k&guideline=5.7

# this configuration requires mod_ssl, mod_socache_shmcb, mod_rewrite, and mod_headers
<VirtualHost *:80>
    RewriteEngine On
    RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>

<VirtualHost *:443>
    SSLEngine on

    # curl https://ssl-config.mozilla.org/ffdhe2048.txt >> /path/to/signed_cert_and_intermediate_certs_and_dhparams
    SSLCertificateFile      /path/to/signed_cert_and_intermediate_certs_and_dhparams
    SSLCertificateKeyFile   /path/to/private_key

    # enable HTTP/2, if available
    Protocols h2 http/1.1

    # HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
    Header always set Strict-Transport-Security "max-age=63072000"
</VirtualHost>

# intermediate configuration
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
SSLHonorCipherOrder     off
SSLSessionTickets       off

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
The text highlighted in yellow color is the recommended strong ciphers by Mozilla.
You can copy this content and insert it into your configuration file as in the sample file. 

Then restart the Apache service to apply the changes.

Note:
Do not replace your existing web server configuration file with the sample file produced by Mozilla. Retrieve the necessary information from the sample file and use it appropriately.



Method 2: from cPanel and WHM

Most cPanel & WHM-managed services use OpenSSL to provide secure connections between client software and the server. The following section lists the interfaces and options in cPanel & WHM that allow you to configure the protocol and cipher lists for services that use OpenSSL.

If you find that you only have access to the cPanel, you should reach out to your hosting service provider and request them to enhance your default web service configuration with strong ciphers. You can guide the hosting service administrator by suggesting the steps below. However, if you have access to the WHM, you can proceed with the following modifications.

Go to  WHM ➝ Home ➝ Service Configuration ➝ cPanel Web Services Configuration



Replace TLS/SSL Cipher List with recommended and strong ciphers and then save the changes.
(If you have a list of medium-strength ciphers, you can exclude them from this list. There's no need to replace the default ciphers)



REFERENCES

[1] https://www.tenable.com/plugins/nessus/42873

[2] https://www.papercut.com/kb/Main/SSLCipherConfiguration/

[3] https://docs.cpanel.net/knowledge-base/security/how-to-update-ciphers-and-tls-protocols/

[4] https://ssl-config.mozilla.org/

0 Comments