With the release of the POODLE vulnerability, Fortinet have released a great article on howto disable SSLv3 on all the Fortinet devices that are affected.
The list goes on to include:
For this test I'll be disabling SSLv3 on my FortiWeb.
root@kali:~# nmap --script ssl-enum-ciphers -p 443 www.wglab.com.au
The list goes on to include:
- FortiGate
- FortiMail
- FortiAnalyzer
- FortiManager
- FortiAuthenticator
- FortiCache
- FortiWeb
- FortiDDOS
- FortiADC-D
- FortiClient
- FortiVoice-Enterprise
- FortiRecorder
- FortiDB
- FortiSwitchOS
- FortiSwitch ATCA
Fortunately disabling SSLv3 is very simple on all devices, with some just requiring an upgrade.
I won't go into detail on howto disable SSLv3 on every box as it's covered in the article linked above. I just wanted to go through on how you can test to ensure that SSLv3 has been disabled once you've made the configuration change.
For this test I'll be disabling SSLv3 on my FortiWeb.
First lets see what ciphers the FortiWeb is presenting before I make any changes. For this I use the following nmap command: nmap --script ssl-enum-ciphers -p 443 hostname
Starting Nmap 6.46 ( http://nmap.org ) at 2014-12-01 10:50 EST
Nmap scan report for www.wglab.com.au (203.219.221.181)
Host is up (0.026s latency).
rDNS record for 203.219.221.181: 203-219-221-181.static.tpgi.com.au
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
|_ least strength: strong
As per above we can see that SSLv3 has been enabled with 10 ciphers configured.
Now let's disable SSLv3 on the FortiWeb using the commands found in the link above.
web $ config system advanced
web (advanced) $ set no-sslv3 enable
web (advanced) $ end
web $ config system global
web (global) $ set no-sslv3 enable
web (global) $ end
Once this is complete I run the nmap command to confirm the changes have taken effect.
root@kali:~# nmap --script ssl-enum-ciphers -p 443 www.wglab.com.au
Starting Nmap 6.46 ( http://nmap.org ) at 2014-12-01 10:54 EST
Nmap scan report for www.wglab.com.au (203.219.221.181)
Host is up (0.037s latency).
rDNS record for 203.219.221.181: 203-219-221-181.static.tpgi.com.au
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| SSLv3: No supported ciphers found
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
|_ least strength: strong
As per above, we can now see that no SSLv3 ciphers are being used by the FortiWeb.
No comments:
Post a Comment