We are facing some hard pressures from banks, they will starting fining merchants in November for vulnerablities. One issue we see I do not understand:
5 Synopsis : The remote service supports the use of anonymous SSL ciphers. Description : The remote host supports the use of anonymous SSL ciphers. While this enables an administrator to set up a service that encrypts traffic without having to generate and configure SSL certificates, it offers no way to verify the remote host’s identity and renders the service vulnerable to a man-in-the-middle attack. See also : http://www.openssl.org/docs/apps/ciphers .html Solution: Reconfigure the affected application if possible to avoid use of weak ciphers. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) [More]
[Hide]
can anyone help, one solution is to only allow ssl3, and TLS1 protocols for encryption. Can we tweak this in Virtual Min UI or not?