Ssl Tls Server Accepts Weak Cipher Methods

Description

Detects if a web server accepts connections using cryptographically weak cipher suites in SSL/TLS connections. These weak ciphers (like NULL, RC2, RC4, DES, DES3, SM3, SM4) or hash algorithms (MD5, SHA1, SM3) can be broken by attackers, potentially compromising encrypted communications.

Weakness:

052 - Insecure encryption algorithm

Category: Information Collection

Detection Strategy

• A vulnerability is reported when the server accepts an SSL/TLS connection using any of the following weak ciphers: NULL, RC2, RC4, DES, DES3, SM3, or SM4

• A vulnerability is reported when the server accepts an SSL/TLS connection using any of the following weak hash algorithms: MD5, SHA1, or SM3

• The detector attempts connections with each supported TLS version, offering only weak cipher suites to verify if the server accepts them

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.