Disable SSL Anonymous Authentication

Noah A.
  • Updated
Follow

The "Anonymous Diffie-Hellman" (ADH) vulnerability or SSL Anonymous Authentication vulnerability refers to a security weakness in the Diffie-Hellman key exchange protocol when used in an anonymous mode.  Having ADH enabled can cause PCI compliance scans to fail with the following message.

SSL Server Allows Anonymous Authentication Vulnerability

Diffie-Hellman is a cryptographic algorithm used for secure key exchange between two parties over an insecure channel. However, in the anonymous mode of Diffie-Hellman, the server doesn't authenticate itself to the client, allowing for potential man-in-the-middle attacks. An attacker could intercept the communication and impersonate the server, compromising the confidentiality and integrity of the exchanged data.

To mitigate this vulnerability, it is recommended to use authenticated versions of Diffie-Hellman, such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve Diffie-Hellman (ECDHE), which provide both key exchange and server authentication.  These can be utilized by disabling the ADH and AECDH authentication modes.

Disable Anonymous Authentication

IMPORTANT: This solution will require root access. If this needs to be obtained, follow the guide on requesting root access.

  1. Confirm the port and associated service that is failing
  2. Append :!ADH:!AECDH to list of supported ciphers for relevant service to disable ADH ciphers
    EXAMPLE: If this was failing for port 21, it would be the FTP service, so we would do the following steps.  Different services may require slightly different steps.  Please reach out to our Technical Support team for further assistance.
    1. Log into Root WHM
    2. Navigate to FTP Server Configuration, located under Service Configuration
    3. Locate TLS Cipher Suite
      WHMFTPTLSCipherSuite.png
      EXAMPLE:       This server currently has the following options set. 
      HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3
    4. Add :!ADH:!AECDH to list
      EXAMPLE: We would update the suite list to the following to disable SSL anonymous authentication protocols.
      HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3:!ADH​:!AECDH
    5. Click Save

Related articles

Comments

0 comments

Article is closed for comments.