CyberKeeda In Social Media

How to fix : OpenSSL Sweet 32 Birthday attack Vulnerability






Sweet32 Birthday attack, which affects the triple-DES cipher. OpenSSL has rated the triple-DES vulnerability as low, they stated “triple-DES should now be considered as ‘bad’ as RC4.”

The Sweet32 Birthday attack does not affect SSL Certificates; certificates do not need to be renewed, reissued, or reinstalled.


Fix :

Verify the CIPHER status from below commands.

One can use openssl ciphers  command to see a list of available ciphers for OpenSSL




openssl ciphers

To check the status of DES and 3DES cipher below commands will help.

 openssl s_client -connect yourserverIP:443 -cipher 'DES:3DES' -ssl2
 openssl s_client -connect yourserverIP:443 -cipher 'DES:3DES' -ssl3 
 openssl s_client -connect yourserverIP:443 -cipher 'DES:3DES' -tls1 
 openssl s_client -connect yourserverIP:443 -cipher 'DES:3DES' -tls1_1 
 openssl s_client -connect yourserverIP:443 -cipher 'DES:3DES' -tls1_2



Find your Open SSL  config file ( openssl.conf )   and locate     SSLCipherSuite

You might find a lot of ciphers written parallel along with SSLCipherSuite.

Just Add  ! before DES and 3DES to disable CIPHER successive with :

 ! -- It states don't use
 : -- It states a begining of CIPHER
It should look like below

SSLCipherSuite !3DES:!DES 

Save and close ssl config file and restart apache to reflect changes.

On Ubuntu/Debian

systemctl restart apache2

On RHEL/CentOS

systemctl restart httpd

2 comments:

  1. we got vulnerability on all the linux servers "Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)"" i have been searching here since long time but no use, there is no straight forward article how to remediate this. can some one come up with a proper and exact explanation.

    ReplyDelete
  2. we got vulnerability on all the linux servers "Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)"" i have been searching here since long time but no use, there is no straight forward article how to remediate this. can some one come up with a proper explanation.

    ReplyDelete

Designed By Jackuna