CRS6205
asked on
The remote host supports the use of SSL ciphers that offer medium strength encryption
I am trying to pass a PCI compliance test and my only fail is at this level. The result I get is:
Synopsis : The remote service supports the use of medium strength SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits. Solution: Reconfigure the affected application if possible to avoid use of medium strength ciphers. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/ I:N/A:N) [More]
I went into:
ROOT / etc / httpd / conf.d
and changed the file to read as:
SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:!aNULL:+SHA1:+MD5:+HI GH
When I test with this command:
# openssl s_client -connect 208.109.101.133:443 -ssl2openssl s_client -connect onlinesafetysupplies.net:4 43 -ssl2
It fails (that is a good thing). when I put -ssl3 (this passes).
When I put in a domain name in:
# openssl s_client -connect onlinesafetysupplies.net:4 43 -ssl2
this will show ssl2 is good.
I do not not know what to do next. If it matters this is on a:
godaddy dedicated server. Red Hat Fedora Core 8
There is also turbopanel.conf file but I do not think it does anything.
Thank You
Synopsis : The remote service supports the use of medium strength SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits. Solution: Reconfigure the affected application if possible to avoid use of medium strength ciphers. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/
I went into:
ROOT / etc / httpd / conf.d
and changed the file to read as:
SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:!aNULL:+SHA1:+MD5:+HI
When I test with this command:
# openssl s_client -connect 208.109.101.133:443 -ssl2openssl s_client -connect onlinesafetysupplies.net:4
It fails (that is a good thing). when I put -ssl3 (this passes).
When I put in a domain name in:
# openssl s_client -connect onlinesafetysupplies.net:4
this will show ssl2 is good.
I do not not know what to do next. If it matters this is on a:
godaddy dedicated server. Red Hat Fedora Core 8
There is also turbopanel.conf file but I do not think it does anything.
Thank You
ASKER
I ordered the cert through GoDaddy Cert. process.
ASKER
I have tried several variations from the link above and nothing. My conf.d look like
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
#SSLProtocol all -SSLv2
SSLProtocol -all +TLSv1 +SSLv3 -SSLv2
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
#SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC 4+RSA:+HIG H:+MEDIUM: +LOW
SSLCipherSuite HIGH:!aNULL:+SHA1:+MD5:+HI GH
# This was added by Matthew Jancosek
<Location /strong/area>
https:///home/safetysupplies/public_html
# requires strong ciphers
SSLCipherSuite HIGH
</Location>
Is there any way of finding out where the SSLv2 is coming from? I still recieve the following when testing.
Ciphers common between both SSL endpoints:
RC4-MD5 EXP-RC4-MD5 RC2-CBC-MD5
EXP-RC2-CBC-MD5 DES-CBC-MD5 DES-CBC3-MD5
---
SSL handshake has read 1555 bytes and written 364 bytes
---
New, SSLv2, Cipher is DES-CBC3-MD5
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv2
Cipher : DES-CBC3-MD5
Session-ID: AED2B3BFFEE86C1679B592EE8C 2B7EF4
Session-ID-ctx:
Master-Key: 233AA15FBC0BEF46A8ADE35F48 8F4FED9B84 D7995EA7ED 8E
Key-Arg : F62C07194AFD2D25
Krb5 Principal: None
Start Time: 1266519609
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
#SSLProtocol all -SSLv2
SSLProtocol -all +TLSv1 +SSLv3 -SSLv2
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
#SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC
SSLCipherSuite HIGH:!aNULL:+SHA1:+MD5:+HI
# This was added by Matthew Jancosek
<Location /strong/area>
https:///home/safetysupplies/public_html
# requires strong ciphers
SSLCipherSuite HIGH
</Location>
Is there any way of finding out where the SSLv2 is coming from? I still recieve the following when testing.
Ciphers common between both SSL endpoints:
RC4-MD5 EXP-RC4-MD5 RC2-CBC-MD5
EXP-RC2-CBC-MD5 DES-CBC-MD5 DES-CBC3-MD5
---
SSL handshake has read 1555 bytes and written 364 bytes
---
New, SSLv2, Cipher is DES-CBC3-MD5
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv2
Cipher : DES-CBC3-MD5
Session-ID: AED2B3BFFEE86C1679B592EE8C
Session-ID-ctx:
Master-Key: 233AA15FBC0BEF46A8ADE35F48
Key-Arg : F62C07194AFD2D25
Krb5 Principal: None
Start Time: 1266519609
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
ASKER
It just is not making sense how the server is fine and will not shake hands with SSLv2 but will with SSLv3. But the rules will not carry over to the websites.
Is there a way to do this on htaccess file?
Is there a way to do this on htaccess file?
ASKER
This is what I got from GoDaddy:
John S. - Server Support: It uses VirtualHosts is that is what your meaning.
John S. - Server Support: Yes, that is how the Apache configuration is actually set.
John S. - Server Support: The primary configuration file is /etc/httpd/conf.d/turbopan el.conf if you want to review how they have it setup.
Here is what is given from the turbopanel_ssl conf.
John S. - Server Support: It uses VirtualHosts is that is what your meaning.
John S. - Server Support: Yes, that is how the Apache configuration is actually set.
John S. - Server Support: The primary configuration file is /etc/httpd/conf.d/turbopan
Here is what is given from the turbopanel_ssl conf.
ASKER
Ok here is the code.
NameVirtualHost 208.109.101.160:443
<VirtualHost 208.109.101.160:443>
ServerAdmin "webmaster@onlinesafetysup plies.net"
ServerName onlinesafetysupplies.net
ServerAlias www.onlinesafetysupplies.net
MIMEMagicFile /dev/null
CustomLog logs/onlinesafetysupplies. net_access _log "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
ErrorLog logs/onlinesafetysupplies. net_error_ log
DocumentRoot "/home/safetysupplies/publ ic_html"
<Directory "/home/safetysupplies/publ ic_html">
Options +Indexes +FollowSymLinks +Includes
XBitHack on
Order allow,deny
Allow from all
AllowOverride All
AddHandler mod_python .py
PythonHandler mod_python.publisher
PythonDebug On
</Directory>
SSLEngine on
SSLCACertificateFile "/var/turbopanel/certs/3/C ert3.ca"
SSLCertificateFile "/var/turbopanel/certs/3/C ert3.crt"
SSLCertificateKeyFile "/var/turbopanel/certs/3/C ert3.key"
Alias /mod_perl "/home/safetysupplies/publ ic_html/mo d_perl"
<Directory "/home/safetysupplies/publ ic_html/mo d_perl">
SetHandler perl-script
PerlResponseHandler ModPerl::Registry
PerlOptions +ParseHeaders
Options +ExecCGI
</Directory>
<Location /perl-status>
SetHandler perl-script
PerlResponseHandler Apache::Status
Order deny,allow
Deny from all
Allow from onlinesafetysupplies.net
</Location>
ScriptAlias /cgi-bin "/home/safetysupplies/publ ic_html/cg i-bin"
Alias /usage /var/www/stats/onlinesafet ysupplies. net
<Directory /var/www/stats/onlinesafet ysupplies. net>
Order allow,deny
Allow from all
</Directory>
<Location /usage>
Order allow,deny
Allow from all
</Location>
</VirtualHost>
NameVirtualHost 208.109.101.160:443
<VirtualHost 208.109.101.160:443>
ServerAdmin "webmaster@onlinesafetysup
ServerName onlinesafetysupplies.net
ServerAlias www.onlinesafetysupplies.net
MIMEMagicFile /dev/null
CustomLog logs/onlinesafetysupplies.
ErrorLog logs/onlinesafetysupplies.
DocumentRoot "/home/safetysupplies/publ
<Directory "/home/safetysupplies/publ
Options +Indexes +FollowSymLinks +Includes
XBitHack on
Order allow,deny
Allow from all
AllowOverride All
AddHandler mod_python .py
PythonHandler mod_python.publisher
PythonDebug On
</Directory>
SSLEngine on
SSLCACertificateFile "/var/turbopanel/certs/3/C
SSLCertificateFile "/var/turbopanel/certs/3/C
SSLCertificateKeyFile "/var/turbopanel/certs/3/C
Alias /mod_perl "/home/safetysupplies/publ
<Directory "/home/safetysupplies/publ
SetHandler perl-script
PerlResponseHandler ModPerl::Registry
PerlOptions +ParseHeaders
Options +ExecCGI
</Directory>
<Location /perl-status>
SetHandler perl-script
PerlResponseHandler Apache::Status
Order deny,allow
Deny from all
Allow from onlinesafetysupplies.net
</Location>
ScriptAlias /cgi-bin "/home/safetysupplies/publ
Alias /usage /var/www/stats/onlinesafet
<Directory /var/www/stats/onlinesafet
Order allow,deny
Allow from all
</Directory>
<Location /usage>
Order allow,deny
Allow from all
</Location>
</VirtualHost>
the problem is not your cert but your virtual host configuration, use something like:
SSLProtocol TLSv1 +SSLv3
SSLCipherSuite HIGH:SHA1:MD5
BTW, I doubt that you pass the PCI test as long as your /perl-status is accessable as it violates/matches OWASP top 10 ;-)
SSLProtocol TLSv1 +SSLv3
SSLCipherSuite HIGH:SHA1:MD5
BTW, I doubt that you pass the PCI test as long as your /perl-status is accessable as it violates/matches OWASP top 10 ;-)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Check out this page: http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html
Also, did you create your certificate yourself? How did you create it?
//jonas