Sweet32 Birthday attack, which affects the triple-DES cipher. OpenSSL has rated the triple-DES vulnerability as low, they stated “triple-DES should now be considered as ‘bad’ as RC4.”
The Sweet32 Birthday attack does not affect SSL Certificates; certificates do not need to be renewed, reissued, or reinstalled.
Fix :
Verify the CIPHER status from below commands.
One can use openssl ciphers command to see a list of available ciphers for OpenSSL
openssl ciphers
To check the status of DES and 3DES cipher below commands will help.
openssl s_client -connect yourserverIP:443 -cipher 'DES:3DES' -ssl2
openssl s_client -connect yourserverIP:443 -cipher 'DES:3DES' -ssl3openssl s_client -connect yourserverIP:443 -cipher 'DES:3DES' -tls1openssl s_client -connect yourserverIP:443 -cipher 'DES:3DES' -tls1_1openssl s_client -connect yourserverIP:443 -cipher 'DES:3DES' -tls1_2
Find your Open SSL config file ( openssl.conf ) and locate SSLCipherSuite
You might find a lot of ciphers written parallel along with SSLCipherSuite.
Just Add ! before DES and 3DES to disable CIPHER successive with :
It should look like below! -- It states don't use: -- It states a begining of CIPHER
SSLCipherSuite
!3DES:!DES
Save and close ssl config file and restart apache to reflect changes.
On Ubuntu/Debian
systemctl restart apache2
systemctl restart httpd
we got vulnerability on all the linux servers "Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)"" i have been searching here since long time but no use, there is no straight forward article how to remediate this. can some one come up with a proper and exact explanation.
ReplyDeletewe got vulnerability on all the linux servers "Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)"" i have been searching here since long time but no use, there is no straight forward article how to remediate this. can some one come up with a proper explanation.
ReplyDelete