Can't turn off 3DES

Support for security such as Firewalls and securing linux
mconstant
Posts: 13
Joined: 2014/11/04 16:39:03

Can't turn off 3DES

Postby mconstant » 2017/08/18 14:37:33

I am not having an easy time turning off 3DES to fix SWEET32. This is an .ova for a phone system but I am trying to remediate some security vulnerabilities. If I go to /etc/httpd/conf.d/ssl.conf I have SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:!3DES. If I go to httpd.conf I have added the 3DES part to SSLCipherSuite HIGH:!aNULL:!MD5:!RC4:+SHA1 so it looked like SSLCipherSuite HIGH:!aNULL:!MD5:!RC4:!3DES:+SHA1, but each time I run nmap or Nessus it comes up with 3DES as a finding. Is there any other place I can shut it off?

User avatar
TrevorH
Forum Moderator
Posts: 20282
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Can't turn off 3DES

Postby TrevorH » 2017/08/18 16:28:42

On what port is the report of the error?
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

mconstant
Posts: 13
Joined: 2014/11/04 16:39:03

Re: Can't turn off 3DES

Postby mconstant » 2017/08/18 19:03:51

For this machine it is 443.

User avatar
avij
Forum Moderator
Posts: 2000
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Can't turn off 3DES

Postby avij » 2017/08/18 19:45:35

Do you have some other software (or hardware) functioning as a reverse proxy for the web server?

User avatar
TrevorH
Forum Moderator
Posts: 20282
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Can't turn off 3DES

Postby TrevorH » 2017/08/18 20:27:45

Check the output of ss -antpl | grep 443 and make sure the process that is listening on the port is the one you think it is. Check the running process to see what config file it is using and make sure it is the one you think it should be.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

mconstant
Posts: 13
Joined: 2014/11/04 16:39:03

Re: Can't turn off 3DES

Postby mconstant » 2017/08/23 14:03:51

You were correct there was a different process using 443. It was a proxy. Thank you.


Return to “CentOS 6 - Security Support”

Who is online

Users browsing this forum: No registered users and 2 guests