6.10.3.4 Ensure XNM-SSL SSLv3 Support is Not Set

Information

If the XNM-SSL service is configured, SSLv3 should not be enabled.

Rationale:

JUNOScript can be configured to use SSL/TLS transport to prevent the exposure of sensitive data and authentication details on the network. If configured the XNM-SSL service will provide services on port TCP/3220.

Secure Sockets Layer version 3 (SSLv3) is an old standard for securing communication, which has proved vulnerable to a number of systemic weaknesses and is now considered unsuitable for use for securing sensitive sessions, such as those used by JUNOScript. SSLv3 has been replaced by the Transport Layer Security (TLS) standard.

Although support for SSLv3 has been disabled by in most JUNOS Releases, it is still possible to enable support for SSLv3 using a hidden configuration command in some currently supported versions of JUNOS.

Because this would enable a significantly weaker standard, it is strongly recommended that SSLv3 Support should never be enabled.

Impact:

If a JUNOScript client does not support the newer TLS standard, it will be unable to connect to the JUNOS Device.

NOTE: XNM-SSL does not appear to be configured on the target. This check is not applicable.

Solution

XNM-SSL SSLv3 Support can be disabled by issuing the following command from the [edit system services xnm-ssl] hierarchy;

[edit system services xnm-ssl]
[email protected]#delete sslv3-support

Default Value:

The XNM-SSL Service is disabled by default.

SSLv3 was disabled by default in Junos OS 13.2R8, 13.3R6, 14.1R5, 14.2R3 (depending on platform). Support for the SSLv3-support command was removed in JUNOS Version 15.1

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), CSCv7|11.5

Plugin: Juniper

Control ID: 00fe48e149e0d09d87303d76920545129ddf0b03a1b5da941894638ca8f03295