[cisco-voip] Info for answering a pen test report on Expressway

ROZA, Ariel Ariel.ROZA at LA.LOGICALIS.COM
Thu Jan 4 16:21:32 EST 2018


Guys/gals,

A customer of mine had a pen test performed on their Expressway server and asked me for advice on correcting the issues reported.

There are three things to fix:

a) SSL 64-bit Block Size Cipher Supported (SWEET32)
b) SSL Medium Strength Cipher Suites Supported (Should support only high strength)
c) Clickjacking: X-Frame-Options header missing

For a) I already checked that need an upgrade to version 8.8.3 or later
For b) I suppose I have to review their security/SSL settings,
But what about c)? Is there a way to verify, or is it documented anywhere, which HTTP headers are supported by the platform, and better yet, in which version? I have searched thorugh the site, and saw several Expressway debugs that show the header being used, but have no reference points like version numbers, or similar.

My customer Expressway version is 8.8.2

Regards,

Ariel.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20180104/1ce5b3b2/attachment.html>


More information about the cisco-voip mailing list