In response SSL has been configured to prefer RC4 ciphers over block-based ciphers to limit, but not eliminate, exposure. Due to browser compatibility we left other ciphers available as a graceful degradation. We choose not to use TLS 1.1 or 1.2 because this is not compatible with major browser versions such as Firefox, Safari and Chrome, according to CVE-2011-3389 details.
According to TrustWave Remediation notes, affected users that implement these prioritization/degradation techniques for mitigation as described above should appeal this vulnerability and include details of the SSL configuration.
The SSL configuration has been set to the following:
SSLCipherSuite RC4-SHA:AES128-SHA:HIGH: !aNULL: !MD5
SSLHonorCipherOrder on
All of the above information should be configured and sent within the TrustWave appeal.
0 Comments