Results 1 to 3 of 3

Thread: SSL Anonymous Cipher Suites Supported

  1. #1
    PastorOfMuppets is offline New Member
    Join Date
    Dec 2011
    Rep Power

    Default SSL Anonymous Cipher Suites Supported

    Nessus reported the following threat from Zimbra. Does anyone know how to correct?


    SSL Anonymous Cipher Suites Supported

    Risk: High (3)
    Type: Nessus
    Port: 465
    Protocol: TCP
    Threat ID: 131705

    Information From Target:
    The remote server supports the following anonymous SSL ciphers :

    ADH-DES-CBC3-SHA Kx=DH Au=None Enc=3DES(168) Mac=SHA1
    ADH-RC4-MD5 Kx=DH Au=None Enc=RC4(128) Mac=MD5
    ADH-DES-CBC3-SHA Kx=DH Au=None Enc=3DES(168) Mac=SHA1
    ADH-AES128-SHA Kx=DH Au=None Enc=AES(128) Mac=SHA1
    ADH-AES256-SHA Kx=DH Au=None Enc=AES(256) Mac=SHA1
    ADH-CAMELLIA128-SHA Kx=DH Au=None Enc=Camellia(128) Mac=SHA1
    ADH-CAMELLIA256-SHA Kx=DH Au=None Enc=Camellia(256) Mac=SHA1
    ADH-RC4-MD5 Kx=DH Au=None Enc=RC4(128) Mac=MD5
    n/a Kx=DH Au=None Enc=SEED(128) Mac=SHA1

    The fields above are :

    {OpenSSL ciphername}
    Kx={key exchange}
    Enc={symmetric encryption method}
    Mac={message authentication code}
    {export flag}

    Reconfigure the affected application if possible to avoid use of weak


    The remote host supports the use of anonymous SSL ciphers. While this enables an administrator to set up a service that encrypts traffic without having to generate and configure SSL certificates, it offers no way to verify the remote host's identity and renders the service vulnerable to a man-in-the-middle attack.

  2. #2
    yasanthau is offline Active Member
    Join Date
    Nov 2009
    Rep Power


    I also have same issue.

  3. #3
    quanah is online now Zimbra Employee
    Join Date
    May 2007
    Rep Power


    This is a bogus report. I suggest you contact Nessus and ask them to fix their software. This does not affect SMTP/SMTPS (which is what port 465 is).
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    Zimbra :: the leader in open source messaging and collaboration

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. SSL Server Allows Anonymous Authenticaion Vulnerability
    By eldon96 in forum Administrators
    Replies: 9
    Last Post: 05-15-2013, 01:47 PM
  2. SSL certificate related vulnerability
    By k_k in forum Administrators
    Replies: 3
    Last Post: 04-11-2011, 06:30 AM
  3. Disable SSL on the Admin Port 7071
    By rasputin in forum Installation
    Replies: 2
    Last Post: 04-06-2008, 03:29 AM
  4. Help with tomcat ssl errors...
    By sgtstadanko in forum Administrators
    Replies: 4
    Last Post: 03-19-2007, 09:13 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts