IIS issue: Insufficient Transport Layer Protection - Weak Cipher (11285)
Who can help me for this issue? Is it a false positive?
After upgrade Webinspect to version10.We scan out these issues for our Web Application:
Insufficient Transport Layer Protection - Weak Cipher (11285)
Insufficient Transport Layer Protection - Weak Protocol (11286)
We check them and found that it is a IIS configuration issue, and Microsoft gives the solution:
http://support.microsoft.com/kb/187498 But Our IIS is installed on Windows Server 2008 R2 and IIS version is 7.5. and that patch cannot fix issue on our system, it give message "This Microsoft Fix it does not apply to your operating system or application version".
If that, does IIS 7.5 has not these issue actually? Is it a false positive ? or how can we configure our IIS to avoid scan out that issue? Please help , thanks.
If we look up this check #11285 in the Policy Manager, we will see that it was last updated in August 2012. It is quite likely that the Fix details for specific server versions can become outdated as new releases arrive or additional patches are created. The check's logic should still be sound, but the text details we provide to accompany it may need an update over time.
An alternative way to review this issue, and prior to the creation of the TLS checks - the only way, would be to run the Server Analyzer tool against the site. This will display the certificates encountered during that brief test as well as the encryption levels accepted by the server. It is then up to your organization to know what is the minimum level of encryption you wish to accept or provide to you users, based on industry best practices.
I am afraid that since the listed KB articles do not apply to your current server version, you will need to investigate the specific corrective measures yourself. I will forward this instance on to our check writers team to review and perhaps update these details for this check.
-- Habeas Data Micro Focus Fortify Customers-Only Forums – https://community.saas.hpe.com/t5/Fortify/ct-p/fortify
According to the document, these are true postitives. WI is flagging weak protocol because the server has SSLv2 enabled. SSLv2 is broken and should be disabled completely. Weak cipher is flagging because RC4 and 3DES are enabled. These are are recommended to be disabled in favor of stronger algorithms such as AES. For more information on testing for weak ciphers and protocols, please review this OWASP wiki page: