Synopsis:
The remote service supports the use of medium strength SSL ciphers.
Description:
The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits.
Note: This is considerably easier to exploit if the attacker is on the same physical network.
Here is the list of medium strength SSL ciphers supported by the remote server :
Medium Strength Ciphers (> 64-bit and < 112-bit key)
TLSv1
DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1
The fields above are :
{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
</plugin_output>
Solution:
Reconfigure the affected application if possible to avoid use of medium strength ciphers.
how to tell what are medium strength ciphers? Using IIScrypto I don't see anything that matches the string above.
under the ciphers column I see aes 128/128 checked not the rc4 64/128 that would fall under the 64bit and 112 bit . Guessing I'm reading the wrong.