Misconfiguration during vulnerabilities scan "Disable support for anonymous authentication"

Hello,

during a vulnerabilities scan we found misconfiguration in a system I manage [195.30.85.143] gelamed.de.

I already contacted my host support but they couldn't find any security gaps etc.. Is there any way to fix this issue? Thank you in advance!

The vunerabilites scan message was:

Please solve this vulnerabilities or provide business justification for this configuration:

SSL Server Allows Anonymous Authentication Vulnerability

Threat

"The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server. The client usually authenticates the server using an algorithm like RSA or DSS. Some SSL ciphers allow SSL communication without authentication. Most common Web browsers like Microsoft Internet Explorer, Netscape and Mozilla do not use anonymous authentication ciphers by default.

A vulnerability exists in SSL communications when clients are allowed to connect

using no authentication algorithm. SSL client-server communication may use several different types of

authentication: RSA, Diffie-Hellman, DSS or none. When 'none' is used, the

communications are vulnerable to a man-in-the-middle attack."""

Impact

An attacker can exploit this vulnerability to impersonate your server to clients.

Solution

Disable support for anonymous authentication to mitigate this vulnerability.

You will need to get more info from that scanner to know what they mean.
You could also try the below site for testing

But, more importantly, if the problem is with your cert you should contact DigiCert. This forum focuses on support for certs from Let's Encrypt.

https://www.ssllabs.com/ssltest/analyze.html?d=galamed.de&hideResults=on

4 Likes

To add on this: anything related to the anonymous authentication is not related to Let's Encrypt.

6 Likes

This sounds like the Qualsys scan, it looks like you've already fixed this by updating your supported ciphers in your apache config because they give your site an A rating. SSL Server Test: gelamed.de (Powered by Qualys SSL Labs)

[Confusingly the error sounds like it's talking about http authentication, which it's not, I presume it's talking about Anonymous Diffie-Hellman as per myF5]

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.