Misconfiguration during vulnerabilities scan "Disable support for anonymous authentication"

njoy · October 9, 2023, 8:00am

Hello,

during a vulnerabilities scan we found misconfiguration in a system I manage [195.30.85.143] gelamed.de.

I already contacted my host support but they couldn't find any security gaps etc.. Is there any way to fix this issue? Thank you in advance!

The vunerabilites scan message was:

Please solve this vulnerabilities or provide business justification for this configuration:

SSL Server Allows Anonymous Authentication Vulnerability

Threat

"The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server. The client usually authenticates the server using an algorithm like RSA or DSS. Some SSL ciphers allow SSL communication without authentication. Most common Web browsers like Microsoft Internet Explorer, Netscape and Mozilla do not use anonymous authentication ciphers by default.

A vulnerability exists in SSL communications when clients are allowed to connect

using no authentication algorithm. SSL client-server communication may use several different types of

authentication: RSA, Diffie-Hellman, DSS or none. When 'none' is used, the

communications are vulnerable to a man-in-the-middle attack."""

Impact

An attacker can exploit this vulnerability to impersonate your server to clients.

Solution

Disable support for anonymous authentication to mitigate this vulnerability.

MikeMcQ · October 9, 2023, 12:04pm

You will need to get more info from that scanner to know what they mean.
You could also try the below site for testing

But, more importantly, if the problem is with your cert you should contact DigiCert. This forum focuses on support for certs from Let's Encrypt.

https://www.ssllabs.com/ssltest/analyze.html?d=galamed.de&hideResults=on

Osiris · October 9, 2023, 12:06pm

To add on this: anything related to the anonymous authentication is not related to Let's Encrypt.

webprofusion · October 10, 2023, 4:04am

This sounds like the Qualsys scan, it looks like you've already fixed this by updating your supported ciphers in your apache config because they give your site an A rating. SSL Server Test: gelamed.de (Powered by Qualys SSL Labs)

[Confusingly the error sounds like it's talking about http authentication, which it's not, I presume it's talking about Anonymous Diffie-Hellman as per myF5]

system · November 9, 2023, 4:05am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Questions about the SSL certs generated by Lets Encrypt	2	2724	January 24, 2016
SSL here is not secure Site Feedback	13	12048	December 29, 2016
SSL/TLS Adaptive Chosen Ciphertext Attack Vulnerability against RSA (ROBOT Attack) Help	5	3063	February 19, 2021
Occasional errors with my LetsEncrypt certs Help	38	4296	March 7, 2019
Can I increase the Key Exchange and Cipher Strength I'm using for a 100% score on SSLabs? Help	23	6575	January 17, 2021

Misconfiguration during vulnerabilities scan "Disable support for anonymous authentication"

Related topics