CyberKeeda In Social Media

How to fix : OpenSSL Sweet 32 Birthday attack Vulnerability






Sweet32 Birthday attack, which affects the triple-DES cipher. OpenSSL has rated the triple-DES vulnerability as low, they stated “triple-DES should now be considered as ‘bad’ as RC4.”

The Sweet32 Birthday attack does not affect SSL Certificates; certificates do not need to be renewed, reissued, or reinstalled.


Fix :

Verify the CIPHER status from below commands.

One can use openssl ciphers  command to see a list of available ciphers for OpenSSL




openssl ciphers

To check the status of DES and 3DES cipher below commands will help.

 openssl s_client -connect yourserverIP:443 -cipher 'DES:3DES' -ssl2
 openssl s_client -connect yourserverIP:443 -cipher 'DES:3DES' -ssl3 
 openssl s_client -connect yourserverIP:443 -cipher 'DES:3DES' -tls1 
 openssl s_client -connect yourserverIP:443 -cipher 'DES:3DES' -tls1_1 
 openssl s_client -connect yourserverIP:443 -cipher 'DES:3DES' -tls1_2



Find your Open SSL  config file ( openssl.conf )   and locate     SSLCipherSuite

You might find a lot of ciphers written parallel along with SSLCipherSuite.

Just Add  ! before DES and 3DES to disable CIPHER successive with :

 ! -- It states don't use
 : -- It states a begining of CIPHER
It should look like below

SSLCipherSuite !3DES:!DES 

Save and close ssl config file and restart apache to reflect changes.

On Ubuntu/Debian

systemctl restart apache2

On RHEL/CentOS

systemctl restart httpd

No comments:

Post a Comment

Designed By Kunal Saha