My vulnerability scanner is taking issue with the SSL config in the xcatd service running on port 3001. The scanner is able to make the following connections:
Medium Strength Ciphers (>= 56-bit and < 112-bit key)
SSLv3 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
TLSv1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
This is a reference good configuration for a popular web server, but I'm not sure how to translate it to xcat:
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
The xcat configuration setting xcatsslciphers corresponds to the IO::Socket::SSL configuration setting SSL_Cipher_list, which takes the exact same input as the SSLCipherSuite directive in Apache.
You can then verify config value as follows:
Restart xcat:
Verify security:
You should not see a certificate come up.