Announcement

Collapse
No announcement yet.

Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)

    A recent vulnerability scan against my server hosting NxFilter detected 'Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)' CVE-2016-2183
    Vulnerability Result
    CIPHER KEY-EXCHANGE AUTHENTICATION MAC ENCRYPTION(KEY-STRENGTH) GRADE
    TLSv1.2 WITH 64-BIT CBC CIPHERS IS SUPPORTED
    DES-CBC3-SHA RSA RSA SHA1 3DES(168) MEDIUM
    EDH-RSA-DES-CBC3-SHA DH RSA SHA1 3DES(168) MEDIUM
    ADH-DES-CBC3-SHA DH None SHA1 3DES(168) MEDIUM
    ECDHE-RSA-DES-CBC3-SHA ECDH RSA SHA1 3DES(168) MEDIUM
    AECDH-DES-CBC3-SHA ECDH None SHA1 3DES(168) MEDIUM
    Is there a end user configuration option to disable ciphers?
    Tags: None
  • #2
    We currently support the default cipher suites provided by Java. We will filter out the ciphers vulnerable to security issues and add an option for users to define their own cipher suites.

    Comment

    • #3
      With the next version, we will support these cipher suites at defaul:

      TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ CHACHA20_POLY1305_SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-RSA-CHACHA20-POLY1305

      And if you want to set it by yourself, you will be able to use 'https_ciphers' option in '/nxiflter/conf/cfg.properties' file.

      Comment

      • #4
        I installed the new version and re-ran the scan. The Sweet32 vulnerability is no longer an issue. Cheers.

        Comment

        Previous template Next
        Working...
        X