Link to home
Create AccountLog in
Avatar of CRS6205
CRS6205

asked on

The remote host supports the use of SSL ciphers that offer medium strength encryption

I am trying to pass a PCI compliance test and my only fail is at this level. The result I get is:
Synopsis : The remote service supports the use of medium strength SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits. Solution: Reconfigure the affected application if possible to avoid use of medium strength ciphers. Risk Factor: Medium  / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)  [More]

I went into:
ROOT  / etc  / httpd  / conf.d
and changed the file to read as:
SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:!aNULL:+SHA1:+MD5:+HIGH

When I test with this command:
# openssl s_client -connect 208.109.101.133:443 -ssl2openssl s_client -connect onlinesafetysupplies.net:443 -ssl2

It fails (that is a good thing). when I put -ssl3 (this passes).

When I put in a domain name in:
# openssl s_client -connect onlinesafetysupplies.net:443 -ssl2
this will show ssl2 is good.

I do not not know what to do next. If it matters this is on a:
 godaddy dedicated server. Red Hat Fedora Core 8
 There is also turbopanel.conf file but I do not think it does anything.

Thank You
Avatar of cjl7
cjl7
Flag of Sweden image

Hi,

Check out this page: http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html

Also, did you create your certificate yourself? How did you create it?

//jonas
Avatar of CRS6205
CRS6205

ASKER

I ordered the cert through GoDaddy Cert. process.

Avatar of CRS6205

ASKER

I have tried several variations from the link above and nothing. My conf.d look like
#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#   SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect.  Disable SSLv2 access by default:
#SSLProtocol all -SSLv2
SSLProtocol -all +TLSv1 +SSLv3 -SSLv2



#   SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
#SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCipherSuite HIGH:!aNULL:+SHA1:+MD5:+HIGH

# This was added by Matthew Jancosek
<Location /strong/area>
https:///home/safetysupplies/public_html
# requires strong ciphers
SSLCipherSuite HIGH
</Location>

Is there any way of finding out where the SSLv2 is coming from? I still recieve the following when testing.

Ciphers common between both SSL endpoints:
RC4-MD5         EXP-RC4-MD5     RC2-CBC-MD5
EXP-RC2-CBC-MD5 DES-CBC-MD5     DES-CBC3-MD5
---
SSL handshake has read 1555 bytes and written 364 bytes
---
New, SSLv2, Cipher is DES-CBC3-MD5
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv2
    Cipher    : DES-CBC3-MD5
    Session-ID: AED2B3BFFEE86C1679B592EE8C2B7EF4
    Session-ID-ctx:
    Master-Key: 233AA15FBC0BEF46A8ADE35F488F4FED9B84D7995EA7ED8E
    Key-Arg   : F62C07194AFD2D25
    Krb5 Principal: None
    Start Time: 1266519609
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
Avatar of CRS6205

ASKER

It just is not making sense how the server is fine and will not shake hands with SSLv2 but will with SSLv3. But the rules will not carry over to the websites.

Is there a way to do this on htaccess file?
Avatar of CRS6205

ASKER

This is what I got from GoDaddy:
John S. - Server Support: It uses VirtualHosts is that is what your meaning.
John S. - Server Support: Yes, that is how the Apache configuration is actually set.
John S. - Server Support: The primary configuration file is /etc/httpd/conf.d/turbopanel.conf if you want to review how they have it setup.

Here is what is given from the turbopanel_ssl conf.
Avatar of CRS6205

ASKER

Ok here is the code.
NameVirtualHost 208.109.101.160:443

<VirtualHost 208.109.101.160:443>
    ServerAdmin "webmaster@onlinesafetysupplies.net"
    ServerName onlinesafetysupplies.net
    ServerAlias www.onlinesafetysupplies.net
    MIMEMagicFile /dev/null
    CustomLog logs/onlinesafetysupplies.net_access_log "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
    ErrorLog logs/onlinesafetysupplies.net_error_log

    DocumentRoot "/home/safetysupplies/public_html"
    <Directory "/home/safetysupplies/public_html">
        Options +Indexes +FollowSymLinks +Includes
        XBitHack on
        Order allow,deny
        Allow from all
        AllowOverride All
        AddHandler mod_python .py
        PythonHandler mod_python.publisher
        PythonDebug On
    </Directory>

    SSLEngine on
    SSLCACertificateFile "/var/turbopanel/certs/3/Cert3.ca"
    SSLCertificateFile "/var/turbopanel/certs/3/Cert3.crt"
    SSLCertificateKeyFile "/var/turbopanel/certs/3/Cert3.key"
    Alias /mod_perl "/home/safetysupplies/public_html/mod_perl"
    <Directory "/home/safetysupplies/public_html/mod_perl">
        SetHandler perl-script
        PerlResponseHandler ModPerl::Registry
        PerlOptions +ParseHeaders
        Options +ExecCGI
    </Directory>

    <Location /perl-status>
        SetHandler perl-script
        PerlResponseHandler Apache::Status
        Order deny,allow
        Deny from all
        Allow from onlinesafetysupplies.net
    </Location>

    ScriptAlias /cgi-bin "/home/safetysupplies/public_html/cgi-bin"

    Alias /usage /var/www/stats/onlinesafetysupplies.net
    <Directory /var/www/stats/onlinesafetysupplies.net>
        Order allow,deny
        Allow from all
    </Directory>

    <Location /usage>
        Order allow,deny
        Allow from all
    </Location>
</VirtualHost>
the problem is not your cert but your virtual host configuration, use something like:

SSLProtocol TLSv1 +SSLv3
SSLCipherSuite HIGH:SHA1:MD5


BTW, I doubt that you pass the PCI test as long as your /perl-status is accessable as it violates/matches OWASP top 10 ;-)
ASKER CERTIFIED SOLUTION
Avatar of CRS6205
CRS6205

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account