Trying to complete PCI compliance and we get the following issue on a scan:
[quote]
SSL Medium Strength Cipher Suites Supported
Here are the medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
The fields above are :
{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
[/quote]
Output of /etc/httpd/conf.d/ssl.conf (comments removed for brevity)
[code]
LoadModule ssl_module modules/mod_ssl.so
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
[/code]
This is a Centos 5.5 system running 2.6.18-194.11.1.el5 x86_64 x86_64. Apache version is 2.2.3. Not sure what other specs are pertinent here because I am fairly certain I am just doing something wrong in the ssl.conf file. Can any one help?
PCI - SSL Medium Strength Cipher Suites Supported
-
- Posts: 14
- Joined: 2010/09/21 14:54:33
- Contact:
-
- Posts: 14
- Joined: 2010/09/21 14:54:33
- Contact:
Re: PCI - SSL Medium Strength Cipher Suites Supported
Leaning towards adding this into the ssl.conf but am a developer not a sys admin and would like some assurances:
[code]SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128[/code]
http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html#onlystrong
[code]SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128[/code]
http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html#onlystrong
-
- Posts: 184
- Joined: 2009/01/30 19:58:25
- Location: California
Re: PCI - SSL Medium Strength Cipher Suites Supported
It's not totally clear what you're trying to accomplish. The scan report shows that Medium Strength cyphers are supported. Are they supposed to be disabled? If that's what you're trying to do, then changing the following line in ssl.conf to the following might do it:
[code]
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:!MEDIUM
[/code]
This may help further: http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslciphersuite
[code]
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:!MEDIUM
[/code]
This may help further: http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslciphersuite
-
- Posts: 14
- Joined: 2010/09/21 14:54:33
- Contact:
Re: PCI - SSL Medium Strength Cipher Suites Supported
Yes I am trying to get medium ciphers disabled so we can pass our PCI compliance. That makes sense I will try that shortly here and report back.
PCI - SSL Medium Strength Cipher Suites Supported
Presently PCI permits medium level ciphers
This is an excerpt from an 'mod_ssl.conf' file, enabling (+) and disabling ciphers (-) various levels. It is not enough simply not list a cipher; to disable it, the leading '-' and explicit mention of a level is needed
[code]# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
# SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
# SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:!LOW:+HIGH:+MEDIUM
[/code]
Here, you could exclude MEDIUM by using: [b] -MEDIUM [/b] but this is at the risk of not being supported in some browsers
You may then get a preview examination if you have it correct without charge at: [url=https://www.ssllabs.com/ssldb/analyze.html]SSL Labs public testing interface[/url] which will 'rate' your setup
You are hoping to see:
[code]
PCI compliant Yes
[/code]
A report like the one for [code] stronghold.pmman.com [/code] is pretty much what you are seeking to get to
-- Russ herrold
This is an excerpt from an 'mod_ssl.conf' file, enabling (+) and disabling ciphers (-) various levels. It is not enough simply not list a cipher; to disable it, the leading '-' and explicit mention of a level is needed
[code]# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
# SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
# SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:!LOW:+HIGH:+MEDIUM
[/code]
Here, you could exclude MEDIUM by using: [b] -MEDIUM [/b] but this is at the risk of not being supported in some browsers
You may then get a preview examination if you have it correct without charge at: [url=https://www.ssllabs.com/ssldb/analyze.html]SSL Labs public testing interface[/url] which will 'rate' your setup
You are hoping to see:
[code]
PCI compliant Yes
[/code]
A report like the one for [code] stronghold.pmman.com [/code] is pretty much what you are seeking to get to
-- Russ herrold