Results 1 to 2 of 2

Thread: Need help on closure of SSL related vulnerability

  1. #1
    chandu is offline Elite Member
    Join Date
    Dec 2007
    Posts
    445
    Rep Power
    7

    Default Need help on closure of SSL related vulnerability

    Hi Guys,

    I upgraded my zimbra setup from zcs 5.0.13 to zcs 6.0.6.1 successfully and its working fine from last two week.
    When we ran penetration test we found some vluernability related to SSL...please have a look on this details :


    ################################################## ##

    SSL / TLS Renegotiation Handshakes MiTM plaintext data injection



    Potential business imapct :
    A remote attacker could exploit this vlunerability via man-in-middle techniques to inject data into the beginning of the application protocol stream to execute HHTP transcations, bypass authentication and possibly launch further attacks against the victim.

    #################################################


    Can anyone please help to understand this vlunerability...actually i dont understand wht it mean...it is the issue with the SSL do communication ? or is it issue with certificate itself ?

    #################################################

    We are using external certificate for webmail which is stored in F5- network load balancer and for outlook connection we are using self - signed zimbra certificate.


    Please guide.

    Thanks

  2. #2
    chandu is offline Elite Member
    Join Date
    Dec 2007
    Posts
    445
    Rep Power
    7

    Default

    Hi Guys,


    In every version, i am getting below vulnerabilities and really couldnt find out the way to fix it...

    1. SSL Certificate Signed using Weak Hashing Algorithm

    Details : The remote service uses an SSL certificate that has been signed using a cryptographically weak hashing algorithm - MD2, MD4, or MD5. These algorithms are known to be vulnerable to collision attacks.

    2. SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection

    Details : The remote service encrypts traffic using TLS / SSL but allows a client to renegotiate the connection after the initial handshake. An unauthenticated remote attacker may be able to leverage this issue to inject an arbitrary amount of plaintext into the beginning of the application protocol stream, which could facilitate man-in-the-middle attacks if the service assumes that the sessions before and after renegotiation are from the same 'client' and merges them at the application layer.



    Can anyone please guide me to fix these SSL related vulnerabilities...


    Thanks

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Note on creating SSL certs in opensource zimbra
    By pheonix1t in forum Administrators
    Replies: 2
    Last Post: 01-17-2009, 08:10 AM
  2. SSL Certificate related issues
    By jwf6911 in forum Administrators
    Replies: 1
    Last Post: 05-11-2008, 09:34 AM
  3. Disable SSL on the Admin Port 7071
    By rasputin in forum Installation
    Replies: 2
    Last Post: 04-06-2008, 03:29 AM
  4. Replies: 1
    Last Post: 01-02-2008, 09:31 PM
  5. Help with tomcat ssl errors...
    By sgtstadanko in forum Administrators
    Replies: 4
    Last Post: 03-19-2007, 09:13 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •