Unable to pass SecurityMetrics/PCI compliance scan.

joetac
joetac used Ask the Experts™
on
We've tried everything. Security Metrics scan gives us a fail for port 443 with a message that mentions "weak encryption".

Here is the full content of the SecurityMetrics fail message:

---------------
Synopsis : The remote service supports the use of weak SSL ciphers. Description : The remote
host supports the use of SSL ciphers that offer either weak encryption or no encryption at all.
See also : http://www.openssl.org/docs/apps/ciphers.html Solution: Reconfigure the affected
application if possible to avoid use of weak ciphers. Risk Factor: Medium / CVSS Base Score
: 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Here is the list of weak SSL ciphers
supported by the remote server : Low Strength Ciphers ( 56-bit key) SSLv3
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5
Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA
Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512)
Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA
Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40)
Mac=MD5 export The fields above are : {OpenSSL ciphername} Kx={key exchange}
Au={authentication} Enc={symmetric encryption method} Mac={message authentication
code} {export flag}
TCP 2077 trellisagt 3
Synopsis : The remote web
-------------

I've added the following encryption string using both Apache Configuration ---> Global Configuration in WHM, as well as to the individual account's vsite area of the httpd.comf file:

ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1

I believe this should work to get them passed, but after three attempts using variations of the above, they have all failed.

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2010
Commented:
Assuming you hanve no SSL accelerating Cisco, Juniper, F5.... kit between your Web server(s) and the internet try using the following values in your Apache httpd.conf:

SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL

Restart Apache, then check if your sill supporting any weak (<128 bit) Ciphers AND / OR SSLv2 (not Allowed), by sticking your URL in:

http://www.serversniff.net/content.php?do=ssl

Or typing the following at a Linux command prompt (Or Dos Prompt if you download the tool):

openssl s_client -connect aaa.bbb.ccc.ddd:443 -ssl2
openssl s_client -connect aaa.bbb.ccc.ddd:443 -ssl3 -cipher LOW

Where: aaa.bbb.ccc.ddd  is wither you Website's hostname or IP.


Note: You may loose a few customers, as there are many million PC's out there running <= IE6.0, with only SSLv2 and or Weak cipher support enabled, so may be worth adding a few word / links to the site before the switch.

Author

Commented:
Thanks for this. Follow up question:

When I run the openssl s_client test at shell (Linux server), I do get this:

CONNECTED(00000003)

However, there is no other text, the prompt just holds there until I cancel out. I was hoping to get an error, but because there is no key returned with all the other SSL info???? Does this indicate a failure (meaning that we still have more work to do), or a success?

Top Expert 2010

Commented:
Hi

The CONNECT indicates it's managed to connect to the port, but you should have more output than that try:

openssl s_client -msg -connect xxx.yyy.zzz.ddd:443  -ssl2 -cipher LOW

Author

Commented:
Thanks for the help!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial