# 停用3des加密套件 ``` Vulnerabilities 42873 - SSL Medium Strength Cipher Suites Supported (SWEET32) Synopsis The remote service supports the use of medium strength SSL ciphers. Description The remote host supports the use of SSL ciphers that offer medium strength encryption. Nessus regards medium strength as any encryption that uses key lengths at least 64 bits and less than 112 bits, or else that uses the 3DES encryption suite. Note that it is considerably easier to circumvent medium strength encryption if the attacker is on the same physical network. See Also https://www.openssl.org/blog/blog/2016/08/24/sweet32/ https://sweet32.info Solution Reconfigure the affected application if possible to avoid use of medium strength ciphers. Risk Factor Medium Plugin Output tcp/7021/www Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES) Name Code KEX Auth Encryption MAC ---------------------- ---------- --- ---- --------------------- --- ECDHE-RSA-DES-CBC3-SHA 0xC0, 0x12 ECDH RSA 3DES-CBC(168) SHA1 DES-CBC3-SHA 0x00, 0x0A RSA RSA 3DES-CBC(168) SHA1 The fields above are : {Tenable ciphername} {Cipher ID code} Kex={key exchange} Auth={authentication} Encrypt={symmetric encryption method} MAC={message authentication code} {export flag} ``` 問題出在tomcat的ciphers使用了3DES加密法,這個加密法不安全 解決方法: 在tomcat的server.xml裡面, 將ciphers的有關於3DES的加密法全部拿掉, 然後將256的加密法放在128前面,384的放最後面。 重新送弱掃，成功解決問題。 (2021/06/11重送弱掃成功) [參考網站](https://ithelp.ithome.com.tw/questions/10185420) ###### tags: 弱點掃描