Data Loss Prevention

 View Only

  • 1.  Weak hash on HTTPS Sertificate

    Posted Mar 28, 2013 08:41 AM

    Hi!

    After servers scanning with Xspider, on the servers of Symantec DLP (10.5.1), xspider returned problems:

     

    Remove the 1304 standard virtual sites that respond to HTTP-requests with arbitrary header HOST. In IIS to do this, set a non-null «Host header value» for all web sites.
    CVE-2004-2761 in the certificate chain contains certificates using cryptographically weak hash function. If possible, refuse to trust this certificate.
    ID: 7029 - the certificate does not match the domain name of the site?
    ID: 7031 - disable cipher with a key length <56 bits
    ID: 7034 - Self-Signed Certificate
     
    How can I close this problems?
     
    Regards.


  • 2.  RE: Weak hash on HTTPS Sertificate

    Posted Apr 02, 2013 02:57 PM

    This is something that can be changed in the Tomcat configuration files.

     
    These two can be solved by generating a CSR and installing a real certificate on the server.  Googling for directions for Tomcat will get you there.
    ID: 7029 - the certificate does not match the domain name of the site?
    ID: 7034 - Self-Signed Certificate
     
     
    This I believe is solved by changing:
    ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
    In your server.xml located in apps\Vontu\Protect\tomcat\conf
    ID: 7031 - disable cipher with a key length <56 bits

    Basically if you google these problems and find the solutions for Tomcat you can apply them to your enforce console.