IIS issue: Insufficient Transport Layer Protection - Weak Cipher (11285) (1800 Views)
Reply
Occasional Advisor
DevinYao
Posts: 7
Registered: ‎07-05-2012
Message 1 of 6 (1,800 Views)

IIS issue: Insufficient Transport Layer Protection - Weak Cipher (11285)

Hi All,

Who can help me for this issue? Is it a false positive?

 

After upgrade Webinspect to version10.We scan out these issues for our Web Application:

Insufficient Transport Layer Protection - Weak Cipher (11285)

Insufficient Transport Layer Protection - Weak Protocol (11286)

 

We check them and found that it is a IIS configuration issue, and Microsoft gives the solution:

http://support.microsoft.com/kb/187498
But Our IIS is installed on Windows Server 2008 R2 and IIS version is 7.5.   and that patch cannot fix issue on our system, it give message "This Microsoft Fix  it does not apply to your operating system or application version".

 

If that,  does IIS 7.5 has not these issue actually? Is it a  false positive ? or how can we configure our IIS to avoid scan out that issue? Please help , thanks.

 

 

Please use plain text.
Respected Contributor
HansEnders
Posts: 549
Registered: ‎07-01-2008
Message 2 of 6 (1,769 Views)

Re: IIS issue: Insufficient Transport Layer Protection - Weak Cipher (11285)

If we look up this check #11285 in the Policy Manager, we will see that it was last updated in August 2012.  It is quite likely that the Fix details for specific server versions can become outdated as new releases arrive or additional patches are created.  The check's logic should still be sound, but the text details we provide to accompany it may need an update over time.

 

An alternative way to review this issue, and prior to the creation of the TLS checks - the only way, would be to run the Server Analyzer tool against the site.  This will display the certificates encountered during that brief test as well as the encryption levels accepted by the server.  It is then up to your organization to know what is the minimum level of encryption you wish to accept or provide to you users, based on industry best practices.

 

I am afraid that since the listed KB articles do not apply to your current server version, you will need to investigate the specific corrective measures yourself.  I will forward this instance on to our check writers team to review and perhaps update these details for this check.


-- Habeas Data
Please use plain text.
Occasional Advisor
DevinYao
Posts: 7
Registered: ‎07-05-2012
Message 3 of 6 (1,762 Views)

Re: IIS issue: Insufficient Transport Layer Protection - Weak Cipher (11285)

Hi Habeas,


Thanks for your check first.

1. As your comments, If you say "then up to your organization to know what is the minimum level of encryption you wish to accept or provide to you users", then

I double check my Connection Encrypted is 128bit keys. so not a critical bug if I think the 128bit keys is acceptable?

I only need recommend my organizationthat the 256bit keys Encrypted is better ?

If that, This is only a site certificate Encrypted warning not a issue, am I right?

2. What can I do if investigate the specific corrective measures by myself, could you give me a guide?


Thanks,

Devin

Please use plain text.
Occasional Advisor
DevinYao
Posts: 7
Registered: ‎07-05-2012
Message 4 of 6 (1,757 Views)

Re: IIS issue: Insufficient Transport Layer Protection - Weak Cipher (11285)

Hi Habeas,

 

I have done the Server Analyzen, Please help me check in the attachment "Server Analyzer Result".

 

Thanks,

Devin

Please use plain text.
Frequent Advisor
Jeremy_Brooks
Posts: 59
Registered: ‎01-04-2011
Message 5 of 6 (1,696 Views)

Re: IIS issue: Insufficient Transport Layer Protection - Weak Cipher (11285)

According to the document, these are true postitives. WI is flagging weak protocol because the server has SSLv2 enabled. SSLv2 is broken and should be disabled completely. Weak cipher is flagging because RC4 and 3DES are enabled. These are are recommended to be disabled in favor of stronger algorithms such as AES. For more information on testing for weak ciphers and protocols, please review this OWASP wiki page:

https://www.owasp.org/index.php/Testing_for_Weak_SSL/TSL_Ciphers,_Insufficient_Transport_Layer_Prote...

 

As for how to fixthis in IIS 7.5, I have not tried it, but see if this Stack Overflow thread helps:

http://security.stackexchange.com/questions/14326/how-to-fix-ssl-2-0-and-beast-on-iis

 

And let us know if it does :).

 

Jeremy

HP WebInspect Developer

 

Please use plain text.
Occasional Advisor
DevinYao
Posts: 7
Registered: ‎07-05-2012
Message 6 of 6 (1,669 Views)

Re: IIS issue: Insufficient Transport Layer Protection - Weak Cipher (11285)

Hi Jeremy,

 

Yes.  The solution work and issues have resolved. I also get the fixed step from IIS:

http://forums.iis.net/t/1151822.aspx.

 

Thanks very much.

 

Devin

Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation