PCI - SSL Medium Strength Cipher Suites Supported

systematical · Post by **systematical** » 2011/08/10 17:50:02

Trying to complete PCI compliance and we get the following issue on a scan:

[quote]
SSL Medium Strength Cipher Suites Supported

Here are the medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
[/quote]

Output of /etc/httpd/conf.d/ssl.conf (comments removed for brevity)

[code]
LoadModule ssl_module modules/mod_ssl.so

Listen 443

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

SSLPassPhraseDialog builtin

SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300

SSLMutex default

SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin

SSLCryptoDevice builtin

SSLProtocol all -SSLv2

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
[/code]

This is a Centos 5.5 system running 2.6.18-194.11.1.el5 x86_64 x86_64. Apache version is 2.2.3. Not sure what other specs are pertinent here because I am fairly certain I am just doing something wrong in the ssl.conf file. Can any one help?

systematical · Post by **systematical** » 2011/08/10 17:57:22

Leaning towards adding this into the ssl.conf but am a developer not a sys admin and would like some assurances:

[code]SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128[/code]

http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html#onlystrong

hawaiian717 · Post by **hawaiian717** » 2011/08/10 18:01:52

It's not totally clear what you're trying to accomplish. The scan report shows that Medium Strength cyphers are supported. Are they supposed to be disabled? If that's what you're trying to do, then changing the following line in ssl.conf to the following might do it:

[code]
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:!MEDIUM
[/code]

This may help further: http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslciphersuite

systematical · Post by **systematical** » 2011/08/10 18:04:53

Yes I am trying to get medium ciphers disabled so we can pass our PCI compliance. That makes sense I will try that shortly here and report back.

herrold · Post by **herrold** » 2011/08/11 02:48:31

Presently PCI permits medium level ciphers

This is an excerpt from an 'mod_ssl.conf' file, enabling (+) and disabling ciphers (-) various levels. It is not enough simply not list a cipher; to disable it, the leading '-' and explicit mention of a level is needed

[code]# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
# SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
# SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:!LOW:+HIGH:+MEDIUM
[/code]

Here, you could exclude MEDIUM by using: [b] -MEDIUM [/b] but this is at the risk of not being supported in some browsers

You may then get a preview examination if you have it correct without charge at: [url=https://www.ssllabs.com/ssldb/analyze.html]SSL Labs public testing interface[/url] which will 'rate' your setup

You are hoping to see:

[code]
PCI compliant Yes
[/code]

A report like the one for [code] stronghold.pmman.com [/code] is pretty much what you are seeking to get to

-- Russ herrold

CentOS