08-19-2013 10:56 PM
Who can help me for this issue? Is it a false positive?
After upgrade Webinspect to version10.We scan out these issues for our Web Application:
Insufficient Transport Layer Protection - Weak Cipher (11285)
Insufficient Transport Layer Protection - Weak Protocol (11286)
We check them and found that it is a IIS configuration issue, and Microsoft gives the solution:
But Our IIS is installed on Windows Server 2008 R2 and IIS version is 7.5. and that patch cannot fix issue on our system, it give message "This Microsoft Fix it does not apply to your operating system or application version".
If that, does IIS 7.5 has not these issue actually? Is it a false positive ? or how can we configure our IIS to avoid scan out that issue? Please help , thanks.
08-21-2013 07:26 AM
If we look up this check #11285 in the Policy Manager, we will see that it was last updated in August 2012. It is quite likely that the Fix details for specific server versions can become outdated as new releases arrive or additional patches are created. The check's logic should still be sound, but the text details we provide to accompany it may need an update over time.
An alternative way to review this issue, and prior to the creation of the TLS checks - the only way, would be to run the Server Analyzer tool against the site. This will display the certificates encountered during that brief test as well as the encryption levels accepted by the server. It is then up to your organization to know what is the minimum level of encryption you wish to accept or provide to you users, based on industry best practices.
I am afraid that since the listed KB articles do not apply to your current server version, you will need to investigate the specific corrective measures yourself. I will forward this instance on to our check writers team to review and perhaps update these details for this check.
-- Habeas Data
08-21-2013 07:51 PM
Thanks for your check first.
1. As your comments, If you say "then up to your organization to know what is the minimum level of encryption you wish to accept or provide to you users", then
I double check my Connection Encrypted is 128bit keys. so not a critical bug if I think the 128bit keys is acceptable?
I only need recommend my organizationthat the 256bit keys Encrypted is better ?
If that, This is only a site certificate Encrypted warning not a issue, am I right?
2. What can I do if investigate the specific corrective measures by myself, could you give me a guide?
08-22-2013 12:20 AM
I have done the Server Analyzen, Please help me check in the attachment "Server Analyzer Result".
08-25-2013 05:40 PM
According to the document, these are true postitives. WI is flagging weak protocol because the server has SSLv2 enabled. SSLv2 is broken and should be disabled completely. Weak cipher is flagging because RC4 and 3DES are enabled. These are are recommended to be disabled in favor of stronger algorithms such as AES. For more information on testing for weak ciphers and protocols, please review this OWASP wiki page:
As for how to fixthis in IIS 7.5, I have not tried it, but see if this Stack Overflow thread helps:
And let us know if it does :).
HP WebInspect Developer
08-27-2013 03:46 AM
Yes. The solution work and issues have resolved. I also get the fixed step from IIS:
Thanks very much.