IBM Support

Security scan incorrectly reports that the IBM HTTP Server supports weak ciphers

Troubleshooting


Problem

Security scan incorrectly reports that the IBM HTTP Server supports weak ciphers even after the httpd.conf file had been configured to disable weak ciphers.

Symptom

Your security scanner software reports the following vulnerability with IBM HTTP Server SSL ciphers:

Synopsis : The remote service supports the use of weak SSL ciphers.    
Description : The remote host supports the use of SSL ciphers that    
offer either weak encryption or no encryption at all. See also :
http://www.openssl.org/docs/apps/ciphers.html
http://www.openssl.org/docs/apps/ciphers.html 
Solution: Reconfigure the affected application if possible to avoid use of weak ciphers.
Risk Factor: Medium  / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
Plugin output : Here is the list of weak SSL ciphers supported by the remote server :
Low Strength Ciphers (< 56-bit key) SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA        
Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA        
Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA        
Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40)  
Mac=MD5 export The fields above are : {OpenSSL ciphername} Kx={key    
exchange} Au={authentication} Enc={symmetric encryption method}        
Mac={message authentication code} {export flag} [More]  

The httpd.conf file is configured correctly with the strong ciphers and weak SSLv2 ciphers are disabled:

<VirtualHost *:443>        
    SSLEnable                
    ## Disable SSLv2          
    SSLProtocolDisable SSLv2  
    ## Set strong ciphers    
    SSLCipherSpec 3A          
    SSLCipherSpec 34          
    SSLCipherSpec 35

The HTTP Error.log file actually shows that only strong ciphers are being used:

SSL0320I: Using Version 3 Cipher: SSL_RSA_WITH_3DES_EDE_CBC_SHA(3A)
SSL0320I: Using Version 3 Cipher: SSL_RSA_WITH_RC4_128_MD5(34)
SSL0320I: Using Version 3 Cipher: SSL_RSA_WITH_RC4_128_SHA(35)

[{"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"SSL","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"7.0","Edition":"Edition Independent","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Component":"IBM HTTP Server","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.0","Edition":"","Line of Business":{"code":"LOB77","label":"Automation Platform"}}]

Log InLog in to view more of this document

This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.

Document Information

Modified date:
03 March 2025

UID

swg21405740

Page Feedback