When we run a security test tool against the web server of PRTG we get an alarm stating that the web server accepts connections with low security encryption.
Article Comments
By default SSLv2 is disabled in PRTG's webserver and only SSLv3 connections are accepted.
Note: It is possible to activate it manually using a registry entry. To enable/disable SSLv2 please see: https://kb.paessler.com/knowledgebase/en/topic/11813
Specifically we set "SSLv3+MEDIUM:SSLv3+HIGH" as allowed ciphers.
This is a scan of the SSLScan tool (http://sourceforge.net/projects/sslscan/) against a default installation of PRTG:
D:\Tools\SSLScan>sslscan 10.0.0.219
_
___ ___| |___ ___ __ _ _ __
/ __/ __| / __|/ __/ _` | '_ \
\__ \__ \ \__ \ (_| (_| | | | |
|___/___/_|___/\___\__,_|_| |_|
Version 1.8.2-win
http://www.titania.co.uk
Copyright Ian Ventura-Whiting 2009
Compiled against OpenSSL 0.9.8m 25 Feb 2010
Testing SSL server 10.0.0.219 on port 443
Supported Server Cipher(s):
Rejected SSLv2 168 bits DES-CBC3-MD5
Rejected SSLv2 56 bits DES-CBC-MD5
Rejected SSLv2 128 bits IDEA-CBC-MD5
Rejected SSLv2 40 bits EXP-RC2-CBC-MD5
Rejected SSLv2 128 bits RC2-CBC-MD5
Rejected SSLv2 40 bits EXP-RC4-MD5
Rejected SSLv2 128 bits RC4-MD5
Rejected SSLv3 256 bits ADH-AES256-SHA
Rejected SSLv3 256 bits DHE-RSA-AES256-SHA
Rejected SSLv3 256 bits DHE-DSS-AES256-SHA
=> Accepted SSLv3 256 bits AES256-SHA
Rejected SSLv3 128 bits ADH-AES128-SHA
Rejected SSLv3 128 bits DHE-RSA-AES128-SHA
Rejected SSLv3 128 bits DHE-DSS-AES128-SHA
=> Accepted SSLv3 128 bits AES128-SHA
Rejected SSLv3 168 bits ADH-DES-CBC3-SHA
Rejected SSLv3 56 bits ADH-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-ADH-DES-CBC-SHA
Rejected SSLv3 128 bits ADH-RC4-MD5
Rejected SSLv3 40 bits EXP-ADH-RC4-MD5
Rejected SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Rejected SSLv3 56 bits EDH-RSA-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA
Rejected SSLv3 168 bits EDH-DSS-DES-CBC3-SHA
Rejected SSLv3 56 bits EDH-DSS-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-EDH-DSS-DES-CBC-SHA
=> Accepted SSLv3 168 bits DES-CBC3-SHA
Rejected SSLv3 56 bits DES-CBC-SHA
Rejected SSLv3 40 bits EXP-DES-CBC-SHA
=> Accepted SSLv3 128 bits IDEA-CBC-SHA
Rejected SSLv3 40 bits EXP-RC2-CBC-MD5
=> Accepted SSLv3 128 bits RC4-SHA
=> Accepted SSLv3 128 bits RC4-MD5
Rejected SSLv3 40 bits EXP-RC4-MD5
Rejected SSLv3 0 bits NULL-SHA
Rejected SSLv3 0 bits NULL-MD5
Failed TLSv1 256 bits ADH-AES256-SHA
Failed TLSv1 256 bits DHE-RSA-AES256-SHA
Failed TLSv1 256 bits DHE-DSS-AES256-SHA
Failed TLSv1 256 bits AES256-SHA
Failed TLSv1 128 bits ADH-AES128-SHA
Failed TLSv1 128 bits DHE-RSA-AES128-SHA
Failed TLSv1 128 bits DHE-DSS-AES128-SHA
Failed TLSv1 128 bits AES128-SHA
Failed TLSv1 168 bits ADH-DES-CBC3-SHA
Failed TLSv1 56 bits ADH-DES-CBC-SHA
Failed TLSv1 40 bits EXP-ADH-DES-CBC-SHA
Failed TLSv1 128 bits ADH-RC4-MD5
Failed TLSv1 40 bits EXP-ADH-RC4-MD5
Failed TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Failed TLSv1 56 bits EDH-RSA-DES-CBC-SHA
Failed TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA
Failed TLSv1 168 bits EDH-DSS-DES-CBC3-SHA
Failed TLSv1 56 bits EDH-DSS-DES-CBC-SHA
Failed TLSv1 40 bits EXP-EDH-DSS-DES-CBC-SHA
Failed TLSv1 168 bits DES-CBC3-SHA
Failed TLSv1 56 bits DES-CBC-SHA
Failed TLSv1 40 bits EXP-DES-CBC-SHA
Failed TLSv1 128 bits IDEA-CBC-SHA
Failed TLSv1 40 bits EXP-RC2-CBC-MD5
Failed TLSv1 128 bits RC4-SHA
Failed TLSv1 128 bits RC4-MD5
Failed TLSv1 40 bits EXP-RC4-MD5
Failed TLSv1 0 bits NULL-SHA
Failed TLSv1 0 bits NULL-MD5
Prefered Server Cipher(s):
SSLv3 256 bits AES256-SHA
Only SSLv3 with medium and high ciphers are accepted.
Are you testing against a default installation?
Is maybe the registry entry "AllowSSLV2" (Path: "\software\Paessler\PRTG Network Monitor\Path Server\Webserver") set? (see link above)
Please try scanning using the SSLScan tool to see if you get different results with your installation.
We use the OpenSSL library for the SSL encryption which is the reference implementation, so everything should be by the rules.
Dec, 2011 - Permalink
By default SSLv2 is disabled in PRTG's webserver and only SSLv3 connections are accepted.
Note: It is possible to activate it manually using a registry entry. To enable/disable SSLv2 please see: https://kb.paessler.com/knowledgebase/en/topic/11813
Specifically we set "SSLv3+MEDIUM:SSLv3+HIGH" as allowed ciphers.
This is a scan of the SSLScan tool (http://sourceforge.net/projects/sslscan/) against a default installation of PRTG:
D:\Tools\SSLScan>sslscan 10.0.0.219 _ ___ ___| |___ ___ __ _ _ __ / __/ __| / __|/ __/ _` | '_ \ \__ \__ \ \__ \ (_| (_| | | | | |___/___/_|___/\___\__,_|_| |_| Version 1.8.2-win http://www.titania.co.uk Copyright Ian Ventura-Whiting 2009 Compiled against OpenSSL 0.9.8m 25 Feb 2010 Testing SSL server 10.0.0.219 on port 443 Supported Server Cipher(s): Rejected SSLv2 168 bits DES-CBC3-MD5 Rejected SSLv2 56 bits DES-CBC-MD5 Rejected SSLv2 128 bits IDEA-CBC-MD5 Rejected SSLv2 40 bits EXP-RC2-CBC-MD5 Rejected SSLv2 128 bits RC2-CBC-MD5 Rejected SSLv2 40 bits EXP-RC4-MD5 Rejected SSLv2 128 bits RC4-MD5 Rejected SSLv3 256 bits ADH-AES256-SHA Rejected SSLv3 256 bits DHE-RSA-AES256-SHA Rejected SSLv3 256 bits DHE-DSS-AES256-SHA => Accepted SSLv3 256 bits AES256-SHA Rejected SSLv3 128 bits ADH-AES128-SHA Rejected SSLv3 128 bits DHE-RSA-AES128-SHA Rejected SSLv3 128 bits DHE-DSS-AES128-SHA => Accepted SSLv3 128 bits AES128-SHA Rejected SSLv3 168 bits ADH-DES-CBC3-SHA Rejected SSLv3 56 bits ADH-DES-CBC-SHA Rejected SSLv3 40 bits EXP-ADH-DES-CBC-SHA Rejected SSLv3 128 bits ADH-RC4-MD5 Rejected SSLv3 40 bits EXP-ADH-RC4-MD5 Rejected SSLv3 168 bits EDH-RSA-DES-CBC3-SHA Rejected SSLv3 56 bits EDH-RSA-DES-CBC-SHA Rejected SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA Rejected SSLv3 168 bits EDH-DSS-DES-CBC3-SHA Rejected SSLv3 56 bits EDH-DSS-DES-CBC-SHA Rejected SSLv3 40 bits EXP-EDH-DSS-DES-CBC-SHA => Accepted SSLv3 168 bits DES-CBC3-SHA Rejected SSLv3 56 bits DES-CBC-SHA Rejected SSLv3 40 bits EXP-DES-CBC-SHA => Accepted SSLv3 128 bits IDEA-CBC-SHA Rejected SSLv3 40 bits EXP-RC2-CBC-MD5 => Accepted SSLv3 128 bits RC4-SHA => Accepted SSLv3 128 bits RC4-MD5 Rejected SSLv3 40 bits EXP-RC4-MD5 Rejected SSLv3 0 bits NULL-SHA Rejected SSLv3 0 bits NULL-MD5 Failed TLSv1 256 bits ADH-AES256-SHA Failed TLSv1 256 bits DHE-RSA-AES256-SHA Failed TLSv1 256 bits DHE-DSS-AES256-SHA Failed TLSv1 256 bits AES256-SHA Failed TLSv1 128 bits ADH-AES128-SHA Failed TLSv1 128 bits DHE-RSA-AES128-SHA Failed TLSv1 128 bits DHE-DSS-AES128-SHA Failed TLSv1 128 bits AES128-SHA Failed TLSv1 168 bits ADH-DES-CBC3-SHA Failed TLSv1 56 bits ADH-DES-CBC-SHA Failed TLSv1 40 bits EXP-ADH-DES-CBC-SHA Failed TLSv1 128 bits ADH-RC4-MD5 Failed TLSv1 40 bits EXP-ADH-RC4-MD5 Failed TLSv1 168 bits EDH-RSA-DES-CBC3-SHA Failed TLSv1 56 bits EDH-RSA-DES-CBC-SHA Failed TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA Failed TLSv1 168 bits EDH-DSS-DES-CBC3-SHA Failed TLSv1 56 bits EDH-DSS-DES-CBC-SHA Failed TLSv1 40 bits EXP-EDH-DSS-DES-CBC-SHA Failed TLSv1 168 bits DES-CBC3-SHA Failed TLSv1 56 bits DES-CBC-SHA Failed TLSv1 40 bits EXP-DES-CBC-SHA Failed TLSv1 128 bits IDEA-CBC-SHA Failed TLSv1 40 bits EXP-RC2-CBC-MD5 Failed TLSv1 128 bits RC4-SHA Failed TLSv1 128 bits RC4-MD5 Failed TLSv1 40 bits EXP-RC4-MD5 Failed TLSv1 0 bits NULL-SHA Failed TLSv1 0 bits NULL-MD5 Prefered Server Cipher(s): SSLv3 256 bits AES256-SHAOnly SSLv3 with medium and high ciphers are accepted.
Are you testing against a default installation?
Is maybe the registry entry "AllowSSLV2" (Path: "\software\Paessler\PRTG Network Monitor\Path Server\Webserver") set? (see link above)
Please try scanning using the SSLScan tool to see if you get different results with your installation.
We use the OpenSSL library for the SSL encryption which is the reference implementation, so everything should be by the rules.
Dec, 2011 - Permalink