?
Solved

Cannot Pass A PCI Compliance Scan Because of SSLv2

Posted on 2013-06-03
2
Medium Priority
?
525 Views
Last Modified: 2013-06-04
Trying to pass a PCI compliance scan via Control Scan but keeps failing due to SSLv2 or a weak cipher is enabled. All I see in the registry is SSLv2 and I have disabled it and restarted with no luck. I'm under the impression that SSLv3 is enabled by default after disabling SSLv2?
0
Comment
Question by:MasterComputing
2 Comments
 
LVL 26

Accepted Solution

by:
arober11 earned 2000 total points
ID: 39216924
What version of Windows Sever / IIS?

Have you checked you registry for the appropriate value e.g. To quote Microsoft:

1. Is it possible to disable SSLv2 on a DC so that secure LDAP communication is forced to use SSLv3 or TLSv1?
Yes it is possible to disable SSLv2 on a DC. Please find below the registry changes that has to be done on the DC to disable it,
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
If the above registry key does not exist please create and reboot the server for the registry key to come into effect.
Refer Article: How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll : http://support.microsoft.com/kb/245030/en-us 


Also to be sure the SSL2 in not supported, grab yourself a copy of the OpenSSL tool, and scan your own site to see what's available, from a public network e.g.

openssl s_client -no_tls1 -no_ssl3 -connect www.yourHost.com:443

Open in new window


The OWASP project offers assorted info on how to test your own site.
0
 

Author Closing Comment

by:MasterComputing
ID: 39220068
Under: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0,

Instead of Server, it was client that was set to DWORD=0. Added Server and passed the scan. Thanks!
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
When you put your credit card number into a website for an online transaction, surely you know to look for signs of a secure website such as the padlock icon in the web browser or the green address bar.  This is one way to protect yourself from oth…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question