Avatar of CRS6205
CRS6205
 asked on

The remote host supports the use of SSL ciphers that offer medium strength encryption

I am trying to pass a PCI compliance test and my only fail is at this level. The result I get is:
Synopsis : The remote service supports the use of medium strength SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits. Solution: Reconfigure the affected application if possible to avoid use of medium strength ciphers. Risk Factor: Medium  / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)  [More]

I went into:
ROOT  / etc  / httpd  / conf.d
and changed the file to read as:
SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:!aNULL:+SHA1:+MD5:+HIGH

When I test with this command:
# openssl s_client -connect 208.109.101.133:443 -ssl2openssl s_client -connect onlinesafetysupplies.net:443 -ssl2

It fails (that is a good thing). when I put -ssl3 (this passes).

When I put in a domain name in:
# openssl s_client -connect onlinesafetysupplies.net:443 -ssl2
this will show ssl2 is good.

I do not not know what to do next. If it matters this is on a:
 godaddy dedicated server. Red Hat Fedora Core 8
 There is also turbopanel.conf file but I do not think it does anything.

Thank You
LinuxLinux DistributionsApache Web Server

Avatar of undefined
Last Comment
CRS6205

8/22/2022 - Mon
cjl7

Hi,

Check out this page: http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html

Also, did you create your certificate yourself? How did you create it?

//jonas
CRS6205

ASKER
I ordered the cert through GoDaddy Cert. process.

CRS6205

ASKER
I have tried several variations from the link above and nothing. My conf.d look like
#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#   SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect.  Disable SSLv2 access by default:
#SSLProtocol all -SSLv2
SSLProtocol -all +TLSv1 +SSLv3 -SSLv2



#   SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
#SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCipherSuite HIGH:!aNULL:+SHA1:+MD5:+HIGH

# This was added by Matthew Jancosek
<Location /strong/area>
https:///home/safetysupplies/public_html
# requires strong ciphers
SSLCipherSuite HIGH
</Location>

Is there any way of finding out where the SSLv2 is coming from? I still recieve the following when testing.

Ciphers common between both SSL endpoints:
RC4-MD5         EXP-RC4-MD5     RC2-CBC-MD5
EXP-RC2-CBC-MD5 DES-CBC-MD5     DES-CBC3-MD5
---
SSL handshake has read 1555 bytes and written 364 bytes
---
New, SSLv2, Cipher is DES-CBC3-MD5
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv2
    Cipher    : DES-CBC3-MD5
    Session-ID: AED2B3BFFEE86C1679B592EE8C2B7EF4
    Session-ID-ctx:
    Master-Key: 233AA15FBC0BEF46A8ADE35F488F4FED9B84D7995EA7ED8E
    Key-Arg   : F62C07194AFD2D25
    Krb5 Principal: None
    Start Time: 1266519609
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
CRS6205

ASKER
It just is not making sense how the server is fine and will not shake hands with SSLv2 but will with SSLv3. But the rules will not carry over to the websites.

Is there a way to do this on htaccess file?
CRS6205

ASKER
This is what I got from GoDaddy:
John S. - Server Support: It uses VirtualHosts is that is what your meaning.
John S. - Server Support: Yes, that is how the Apache configuration is actually set.
John S. - Server Support: The primary configuration file is /etc/httpd/conf.d/turbopanel.conf if you want to review how they have it setup.

Here is what is given from the turbopanel_ssl conf.
CRS6205

ASKER
Ok here is the code.
NameVirtualHost 208.109.101.160:443

<VirtualHost 208.109.101.160:443>
    ServerAdmin "webmaster@onlinesafetysupplies.net"
    ServerName onlinesafetysupplies.net
    ServerAlias www.onlinesafetysupplies.net
    MIMEMagicFile /dev/null
    CustomLog logs/onlinesafetysupplies.net_access_log "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
    ErrorLog logs/onlinesafetysupplies.net_error_log

    DocumentRoot "/home/safetysupplies/public_html"
    <Directory "/home/safetysupplies/public_html">
        Options +Indexes +FollowSymLinks +Includes
        XBitHack on
        Order allow,deny
        Allow from all
        AllowOverride All
        AddHandler mod_python .py
        PythonHandler mod_python.publisher
        PythonDebug On
    </Directory>

    SSLEngine on
    SSLCACertificateFile "/var/turbopanel/certs/3/Cert3.ca"
    SSLCertificateFile "/var/turbopanel/certs/3/Cert3.crt"
    SSLCertificateKeyFile "/var/turbopanel/certs/3/Cert3.key"
    Alias /mod_perl "/home/safetysupplies/public_html/mod_perl"
    <Directory "/home/safetysupplies/public_html/mod_perl">
        SetHandler perl-script
        PerlResponseHandler ModPerl::Registry
        PerlOptions +ParseHeaders
        Options +ExecCGI
    </Directory>

    <Location /perl-status>
        SetHandler perl-script
        PerlResponseHandler Apache::Status
        Order deny,allow
        Deny from all
        Allow from onlinesafetysupplies.net
    </Location>

    ScriptAlias /cgi-bin "/home/safetysupplies/public_html/cgi-bin"

    Alias /usage /var/www/stats/onlinesafetysupplies.net
    <Directory /var/www/stats/onlinesafetysupplies.net>
        Order allow,deny
        Allow from all
    </Directory>

    <Location /usage>
        Order allow,deny
        Allow from all
    </Location>
</VirtualHost>
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
ahoffmann

the problem is not your cert but your virtual host configuration, use something like:

SSLProtocol TLSv1 +SSLv3
SSLCipherSuite HIGH:SHA1:MD5


BTW, I doubt that you pass the PCI test as long as your /perl-status is accessable as it violates/matches OWASP top 10 ;-)
ASKER CERTIFIED SOLUTION
CRS6205

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.