000011554 - scan shows version of OpenSSL on the remote host has been shown to allow the use of disabled ciphers

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000011554
Applies ToRSA Certificate Manager 6.8
RSA Certificate Manager (RCM)
RSA Registration Manager 6.8
RSA Registration Manager (RRM)
RSA Validation Manager (RVM)
RSA Validation Manager 3.1
Microsoft Windows Server 2003 SP2
Issuescan shows version of OpenSSL on the remote host has been shown to allow the use of disabled ciphers
CVE-2008-7270
The version of OpenSSL on the remote host has been shown to allow the use of disabled ciphers when resuming a session. This means that an attacker that sees (e.g. by sniffing) the start of an SSL connection can manipulate the OpenSSL session cache to cause subsequent resumes of that session to use a disabled cipher chosen by the attacker.
Resolution

This is not applicable to RCM and RVM.

RSA does not use OpenSSL in RCM and RVM. The products are built with B-Safe SSL-C.
The RCM 6.8 build 520 and RVM 3.1 build 162 are patched to the available version of SSL-C 2.8.5.1.

NotesCERTMGR-3950
Legacy Article IDa55884

Attachments

    Outcomes