[isapros] Re: ISA Penetration Test - SSL Weak Cipher False Positive

• From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxxxx>
• To: <isapros@xxxxxxxxxxxxx>
• Date: Thu, 22 Mar 2007 13:28:15 +0100

Hi Tom, 

The MSKB you need is http://support.microsoft.com/kb/245030/en-us. By
disabling the weak ciphers the ISA server will *not* offer those ciphers
during the SSL negotiation. In my opinion that's the correct way to solve
that problem. 

When you just enable 128-bit encryption in the ISA GUI, this will *not*
enforce string ciphers during the SSL negotiation. In other words, the SSL
negotiation will complete with e.g. a 56-bit cipher though ISA will not let
traffic through. Watch my blog for a part2 of "Require 128-bit Encryption
for HTTPS Traffic with ISA Server 2006". 

BTW -- I have 2 open cases with MS PSS about this item. One for the GUI
problem already documented in my blog and one I can't blog about it yet (NDA
reasons). 

Kindly, 
Stefaan

-----------------------------------------------------------------------

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Thomas W Shinder
Sent: donderdag 22 maart 2007 4:29
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA Penetration Test - SSL Weak Cipher False Positive

Are you saying that when you set 128 bit enforcement that unsecure
connections can be created?

Tom

------------------------------------------------------------------------

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jason Jones
Sent: Wednesday, March 21, 2007 7:30 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] ISA Penetration Test - SSL Weak Cipher False Positive

Hi All, 
After seeing a few ISA security or penetration tests a few times recently, a
common theme relating to weak SSL ciphers is appearing. The first time this
was reported by a customer, I contacted PSS who explained that the issue was
due to the fact that the operating system would negotiate SSL at a low
cipher strength irrespective of ISA and that ISA would drop all weak cipher
traffic if the "use 128 bit encryption" option was enabled on the web
listener. E.g. you *can* negotiate a low cipher, but ISA will drop traffic
that does not meet 128 bit. The 'SSL digger' tool is an example of how to
generate the false positive.
PSS provide a KB of how to configure the OS to only allow specific ciphers,
but this is pretty full on and includes some hardcore registry changes. Not
all customers have been keen to make these changes to pass the tests.
Does anyone know if MS plans to create a KB to explain this false positive
when using ISA? If not, can someone suggest it is created to provide
customers with an explanation.
I am managing to convince most customers, but a few have asked for a written
response from Microsoft to confirm the issue is indeed a false positive and
not a legitimate issue.
Any help appreciated. 
JJ 

• References:
  • [isapros] Re: ISA Penetration Test - SSL Weak Cipher False Positive
    • From: Thomas W Shinder

Other related posts:

• » [isapros] ISA Penetration Test - SSL Weak Cipher False Positive
• » [isapros] Re: ISA Penetration Test - SSL Weak Cipher False Positive
• » [isapros] Re: ISA Penetration Test - SSL Weak Cipher False Positive
• » [isapros] Re: ISA Penetration Test - SSL Weak Cipher False Positive
• » [isapros] Re: ISA Penetration Test - SSL Weak Cipher False Positive
• » [isapros] Re: ISA Penetration Test - SSL Weak Cipher False Positive
• » [isapros] Re: ISA Penetration Test - SSL Weak Cipher False Positive
• » [isapros] Re: ISA Penetration Test - SSL Weak Cipher False Positive
• » [isapros] Re: ISA Penetration Test - SSL Weak Cipher False Positive
• » [isapros] Re: ISA Penetration Test - SSL Weak Cipher False Positive

1. Home
2. isapros
3. Archive
4. 03-2007

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---