Solved

failing PCI scan due to SSL2 issue

Posted on 2010-08-26
9
859 Views
Last Modified: 2012-06-21
A third-party PCI compliance scanner let us know that we need to disable SSL2 on our mail server.  I followed this MS KB, and did that (including a reboot):

http://support.microsoft.com/kb/187498

Requested a re-scan, but the results are the same:

 
s_client -host x.x.x.x -port 443 -ssl2

Ciphers common between both SSL endpoints:
RC4-MD5         DES-CBC3-MD5

New, SSLv2, Cipher is DES-CBC3-MD5
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
SSL-Session:
    Protocol  : SSLv2

Open in new window


serversniff.net reports:

Available SSL2 ciphers:  
DES-CBC3-MD5 168 bit
RC4-MD5 128 bit

So I'm guessing I need to disable these ciphers as well.  However, I'm not sure what registry entry corresponds with these 2 ciphers.  These are the ciphers listed in the registry:

ciphers in registry

Windows 2008 Server/IIS 7

Thanks.
0
Comment
Question by:j_aebi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
9 Comments
 
LVL 19

Expert Comment

by:CoccoBill
ID: 33541083
Did you change the value of the "Enabled" key under "HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" to dword:00000000 and restart the system?

Also, this is only one part of the PCI requirements regarding SSL. Another one is to disable all weak ciphers:

http://blog.zenone.org/2009/03/pci-compliance-disable-sslv2-and-weak.html
0
 

Author Comment

by:j_aebi
ID: 33543714
Yes, as I said, I followed the first KB article, which specifies to change those dword values and restart.

My second question is indeed about the ciphers: "So I'm guessing I need to disable these ciphers as well.  However, I'm not sure what registry entry corresponds with these 2 ciphers.  These are the ciphers listed in the registry" (see pic that I posted).
0
 
LVL 30

Expert Comment

by:Brad Howe
ID: 33544273
Hi,
For PCI Compliance, your CIPHERS and SSL version need to be updated. Here is the registry setting I implement for all my clients.
1. Create SSL.reg with this code attached.
 2. Execute entry into registry.
3. Reboot and run scan again.
Let me know if you have questions,
Hades666

Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"Enabled"=dword:00000001
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000001
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:00000001
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000001
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES]

Open in new window

0
Do you have a plan for Continuity?

It's inevitable. People leave organizations creating a gap in your service. That's where Percona comes in.

See how Pepper.com relies on Percona to:
-Manage their database
-Guarantee data safety and protection
-Provide database expertise that is available for any situation

 
LVL 30

Expert Comment

by:Brad Howe
ID: 33544369
And yes, for the other CIPHERS you have, Delete these keys.
DES 56/56, NULL, RC2 40/128, RC4 40/128, RC4 56/128
They are weak ciphers.
Cheers,
Hades666
0
 

Author Comment

by:j_aebi
ID: 33563246
Thanks Hades666, I'll give it a shot.
0
 

Author Comment

by:j_aebi
ID: 33563482
Ok, did that, but still seeing this from http://serversniff.net/sslcheck.php:

Preferred cipher:  
TLSv1/SSLv3, Cipher is RC4-MD5 RC4(128)  
 
Available SSL2 ciphers:  
DES-CBC3-MD5 168 bit
RC4-MD5 128 bit

Attached file is what the registry looks like currently (2 files in one here - ciphers the protocols).

I don't have values set for the SSL2 client keys - does this matter?  Seems I've seen KB articles that both mention this, and don't mention it.



ciphers-protocols.txt
0
 
LVL 30

Expert Comment

by:Brad Howe
ID: 33576370

Hi,

Yes, you need to disable the client and server protocols.

You should also delete the following cipher keys completely. Don't disable them. Both my sites report only 128/168/256 Bit encryption and SSL3 only.

Here is how my register Channels and ciphers are configured.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"Enabled"=dword:00000001
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000001
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:00000001
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000001

cheers, Hades666
0
 

Author Comment

by:j_aebi
ID: 33589274
Ok, thanks, this all looks good and I'll give it another shot.  However, I'm wondering what the difference is between using 00000001 and ffffffff for the "Enabled" DWORD values?  

In your example:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000001

In mine:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:ffffffff

I know you mentioned your sites are passing the PCI scans just fine, so all must be well :) but I'm curious, as that MS cipher KB mentions: "To allow this cipher algorithm, change the DWORD value data of the Enabled value to 0xffffffff, otherwise change the DWORD value data to 0x0. "
0
 

Accepted Solution

by:
j_aebi earned 0 total points
ID: 33746482
So when I delete those cipher keys, close regedit and open it back up, they reappear.  And we then continue to fail this PCI scan.

I ended up contacting MS support about this and am working with them.  Thanks anyway.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses
Course of the Month3 days, 19 hours left to enroll

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question