3 Replies Latest reply on Nov 24, 2014 4:48 PM by kurchy

    SSL Server Allows Anonymous Authentication

    kurchy

      Title

      SSL Server Allows Anonymous Authentication

      Your post

       

      We are currently deploying a Filemaker solution in a corporate environment and have run into a bit of a security issue.

      They are using QualysGuard Enterprise Suite to scan the servers for vulnerabilities, and it has flagged one on the Filemaker port 5003.

      Below are the results of the scan.  Has anyone else seen this problem or have any ideas as to what to try?  We have deployed 2 servers at this location and both are reporting the same issue.  The solution mentions disabling anonymous authentication.  Is there a setting in FM server for that, that I’m not seeing?  Both servers are running Server 2012 and FM Sever 13.0 v4.

       

      SSL Server Allows Anonymous Authentication Vulnerability

      port 5003/tcp over SSL

       

      THREAT:

      The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server. The client usually authenticates the server using an algorithm like RSA or DSS. Some SSL ciphers allow SSL communication without authentication. Most common Web browsers like Microsoft Internet Explorer, Netscape and Mozilla do not use anonymous authentication ciphers by default.

      A vulnerability exists in SSL communications when clients are allowed to connect

      using no authentication algorithm. SSL client-server communication may use several different types of authentication: RSA, Diffie-Hellman, DSS or none. When 'none' is used, the

      communications are vulnerable to a man-in-the-middle attack."

      IMPACT:

      An attacker can exploit this vulnerability to impersonate your server to clients.

      SOLUTION:
      Disable support for anonymous authentication.

      1) Apache:
      Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines: SSLProtocol -ALL +SSLv3 +TLSv1
      SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM For Apache/apache_ssl include the following line in the configuration file (httpsd.conf): SSLRequireCipher ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

      2) IIS:
      For IIS please see: How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services (http://support.microsoft.com/kb/187498/en-us), How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll (http://support.microsoft.com/kb/245030/en-us), How to Determine the Cipher Suite for the Server and Client (http://support.microsoft.com/kb/299520/en-us), , and How to restrict the use of certain ciphers in Internet Information Services 5.0 (http://support.microsoft.com/kb/241447)

      3) Wu-FTP:
      For Wu-FTP which supports TLS, the ciphers parameter in TLS configuration file should be set to -ALL +SSLv3 +TLSv1 For more details please consult the docs/HOWTO/ssl_and_tls_ftpd.HOWTO file provided by wu-ftpd distribution.

      4) Lighttpd:
      For lighttpd: Locate the lighttpd config file and modify the following ssl.ciper-list line to include !aNULL. A restart of the lightttpd application is necessary.
      Example: ssl.cipher-list = "TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !eNULL !3DES @STRENGTH"

      Thanks,

      Great Lakes Database