Insecure Encryption Algorithm - Anonymous Cipher Suites

Need

To ensure secure encrypted connections that are not vulnerable to MitM attacks

Context

Usage of Elixir (v1.11+) for building scalable and fault-tolerant applications
Usage of Erlang/OTP's ssl application for secure communication

Description

Non compliant code

{:ok, _} = :ssl.listen(4001, [:inet6, {:packet, 0}, {:active, false}, {:keyfile, 'key.pem'}, {:certfile, 'cert.pem'}, {:versions, ['tlsv1.2']}, {:ciphers, [:'ECDH-ECDSA-AES128-GCM-SHA256', :anonymous] }])

This code snippet creates an SSL server that accepts connections using anonymous cipher suites. This means that it does not authenticate the server to the client, allowing potential MitM attacks.

Steps

Identify where your application is setting up SSL connections and allowing anonymous cipher suites.
Remove any anonymous cipher suites from the list of allowed ciphers.
Ensure that all connections require authentication, rejecting anonymous cipher suites.

Compliant code

{:ok, _} = :ssl.listen(4001, [:inet6, {:packet, 0}, {:active, false}, {:keyfile, 'key.pem'}, {:certfile, 'cert.pem'}, {:versions, ['tlsv1.2']}, {:ciphers, [:'ECDH-ECDSA-AES128-GCM-SHA256'] }])

This code snippet creates an SSL server that does not accept connections using anonymous cipher suites. By only allowing secure cipher suites, it ensures that all connections are authenticated and resistant to MitM attacks.

References

092.Insecure encryption algorithm - Anonymous cipher suites

Need​

Context​

Description​

Non compliant code​

Steps​

Compliant code​

References​