New Question
 
 
PRTG Network Monitor

Intuitive to Use.
Easy to manage.

200.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free PRTG
Download >>

 

What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

 

Top Tags


View all Tags


My SSL Compliance Tool Shows a Alarm because of Weak Ciphers for the PRTG Web Server

Votes:

0

Your Vote:

Up

Down

When we run a security test tool against the web server of PRTG we get an alarm stating that the web server accepts connections with low security encryption.

prtg ssl web-server

Created on Dec 29, 2011 11:47:13 AM by  Dirk Paessler [Founder Paessler AG] (10,880) 3 4



1 Reply

Accepted Answer

Votes:

0

Your Vote:

Up

Down

By default SSLv2 is disabled in PRTG's webserver and only SSLv3 connections are accepted.

Note: It is possible to activate it manually using a registry entry. To enable/disable SSLv2 please see: http://kb.paessler.com/knowledgebase/en/topic/11813

Specifically we set "SSLv3+MEDIUM:SSLv3+HIGH" as allowed ciphers.

This is a scan of the SSLScan tool (http://sourceforge.net/projects/sslscan/) against a default installation of PRTG:

D:\Tools\SSLScan>sslscan 10.0.0.219
                  _
          ___ ___| |___  ___ __ _ _ __
          / __/ __| / __|/ __/ _` | '_ \
          \__ \__ \ \__ \ (_| (_| | | | |
          |___/___/_|___/\___\__,_|_| |_|

                  Version 1.8.2-win
            http://www.titania.co.uk
        Copyright Ian Ventura-Whiting 2009
    Compiled against OpenSSL 0.9.8m 25 Feb 2010

Testing SSL server 10.0.0.219 on port 443

  Supported Server Cipher(s):
    Rejected  SSLv2  168 bits  DES-CBC3-MD5
    Rejected  SSLv2  56 bits  DES-CBC-MD5
    Rejected  SSLv2  128 bits  IDEA-CBC-MD5
    Rejected  SSLv2  40 bits  EXP-RC2-CBC-MD5
    Rejected  SSLv2  128 bits  RC2-CBC-MD5
    Rejected  SSLv2  40 bits  EXP-RC4-MD5
    Rejected  SSLv2  128 bits  RC4-MD5
    Rejected  SSLv3  256 bits  ADH-AES256-SHA
    Rejected  SSLv3  256 bits  DHE-RSA-AES256-SHA
    Rejected  SSLv3  256 bits  DHE-DSS-AES256-SHA
=>  Accepted  SSLv3  256 bits  AES256-SHA
    Rejected  SSLv3  128 bits  ADH-AES128-SHA
    Rejected  SSLv3  128 bits  DHE-RSA-AES128-SHA
    Rejected  SSLv3  128 bits  DHE-DSS-AES128-SHA
=>  Accepted  SSLv3  128 bits  AES128-SHA
    Rejected  SSLv3  168 bits  ADH-DES-CBC3-SHA
    Rejected  SSLv3  56 bits  ADH-DES-CBC-SHA
    Rejected  SSLv3  40 bits  EXP-ADH-DES-CBC-SHA
    Rejected  SSLv3  128 bits  ADH-RC4-MD5
    Rejected  SSLv3  40 bits  EXP-ADH-RC4-MD5
    Rejected  SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
    Rejected  SSLv3  56 bits  EDH-RSA-DES-CBC-SHA
    Rejected  SSLv3  40 bits  EXP-EDH-RSA-DES-CBC-SHA
    Rejected  SSLv3  168 bits  EDH-DSS-DES-CBC3-SHA
    Rejected  SSLv3  56 bits  EDH-DSS-DES-CBC-SHA
    Rejected  SSLv3  40 bits  EXP-EDH-DSS-DES-CBC-SHA
=>  Accepted  SSLv3  168 bits  DES-CBC3-SHA
    Rejected  SSLv3  56 bits  DES-CBC-SHA
    Rejected  SSLv3  40 bits  EXP-DES-CBC-SHA
=>  Accepted  SSLv3  128 bits  IDEA-CBC-SHA
    Rejected  SSLv3  40 bits  EXP-RC2-CBC-MD5
=>  Accepted  SSLv3  128 bits  RC4-SHA
=>  Accepted  SSLv3  128 bits  RC4-MD5
    Rejected  SSLv3  40 bits  EXP-RC4-MD5
    Rejected  SSLv3    0 bits  NULL-SHA
    Rejected  SSLv3    0 bits  NULL-MD5
    Failed    TLSv1  256 bits  ADH-AES256-SHA
    Failed    TLSv1  256 bits  DHE-RSA-AES256-SHA
    Failed    TLSv1  256 bits  DHE-DSS-AES256-SHA
    Failed    TLSv1  256 bits  AES256-SHA
    Failed    TLSv1  128 bits  ADH-AES128-SHA
    Failed    TLSv1  128 bits  DHE-RSA-AES128-SHA
    Failed    TLSv1  128 bits  DHE-DSS-AES128-SHA
    Failed    TLSv1  128 bits  AES128-SHA
    Failed    TLSv1  168 bits  ADH-DES-CBC3-SHA
    Failed    TLSv1  56 bits  ADH-DES-CBC-SHA
    Failed    TLSv1  40 bits  EXP-ADH-DES-CBC-SHA
    Failed    TLSv1  128 bits  ADH-RC4-MD5
    Failed    TLSv1  40 bits  EXP-ADH-RC4-MD5
    Failed    TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
    Failed    TLSv1  56 bits  EDH-RSA-DES-CBC-SHA
    Failed    TLSv1  40 bits  EXP-EDH-RSA-DES-CBC-SHA
    Failed    TLSv1  168 bits  EDH-DSS-DES-CBC3-SHA
    Failed    TLSv1  56 bits  EDH-DSS-DES-CBC-SHA
    Failed    TLSv1  40 bits  EXP-EDH-DSS-DES-CBC-SHA
    Failed    TLSv1  168 bits  DES-CBC3-SHA
    Failed    TLSv1  56 bits  DES-CBC-SHA
    Failed    TLSv1  40 bits  EXP-DES-CBC-SHA
    Failed    TLSv1  128 bits  IDEA-CBC-SHA
    Failed    TLSv1  40 bits  EXP-RC2-CBC-MD5
    Failed    TLSv1  128 bits  RC4-SHA
    Failed    TLSv1  128 bits  RC4-MD5
    Failed    TLSv1  40 bits  EXP-RC4-MD5
    Failed    TLSv1    0 bits  NULL-SHA
    Failed    TLSv1    0 bits  NULL-MD5

  Prefered Server Cipher(s):
    SSLv3  256 bits  AES256-SHA

Only SSLv3 with medium and high ciphers are accepted.

Are you testing against a default installation?

Is maybe the registry entry "AllowSSLV2" (Path: "\software\Paessler\PRTG Network Monitor\Path Server\Webserver") set? (see link above)

Please try scanning using the SSLScan tool to see if you get different results with your installation.

We use the OpenSSL library for the SSL encryption which is the reference implementation, so everything should be by the rules.

Created on Dec 29, 2011 11:51:05 AM by  Dirk Paessler [Founder Paessler AG] (10,880) 3 4

Last change on Apr 27, 2012 1:12:26 PM by  Manischa Mittal [Paessler Support]



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.