The QualysGuard Scan Results show that my host is vulnerabile with QID 38140 - SSL Server Supports Weak Encryption Vulnerability. How can I verify this?
The test for QID 38140 can be verified manually on a Unix based machine.
On a command line, type:
openssl s_client -connect TARGET_IP:PORT_NUMBER -cipher LOW
Where TARGET_IP is the IP address of the host in question and PORT_NUMBER is the port listed in the scan report for this QID.
For mail servers (port 25 and others) that use START TLS, you will need to use: openssl s_client -connect 220.127.116.11:25 -starttls smtp -cipher LOW
If the result is an SSL handshake error similar to the example below, the host is not vulnerable:
9216:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226:
However, if the connection is established and a large amount of data is displayed including the certificate, the host is vulnerable.
Note: The LOW switch does not include export cipher suites (which are LOW as well).
Failed: openssl s_client -connect 18.104.22.168:443 -cipher LOW
Successful: openssl s_client -connect 22.214.171.124:443 -cipher EXP
This is explained on the OpenSSL website: http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS
To remedy this issue, please examine the host in question and find out what service is running on the port that is listed for this vulnerability in the scan results, then reconfigure that service to disable SSLv2 and low encryption ciphers.
For further assistance with host configuration or additional remediation information, contact the vendor of the host and/or service.
Qualys Support KnowledgeBase