Stuff…

I know I will forget.

Stuff… header image 2

PCI scan picking up various weak cipher suites

August 22nd, 2008 · No Comments

The PCI scans appear to be picking up some weak cipher suites on HTTPS, POP3S, IMAPS and SMTPS. This is easily fixed with the following configuration file examples:

Apache ssl.conf (or httpd.conf ):

#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
#SSLCipherSuite ALL:-ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
SSLProtocol -ALL +SSLv3 +TLSv1

If using courier for imap & pop3 the imapd-ssl and pop3d-ssl files will need updating in /etc/courier-imap, or, where ever the configuration files are.

imapd-ssl:

TLS_CIPHER_LIST=”HIGH:MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH”

pop3d-ssl:

TLS_CIPHER_LIST=”HIGH:MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH”

And if using qmail for SMTP/s you may need to create the tlsserverciphers file in /var/qmail/control/. You can do this with:

openssl ciphers > /var/qmail/control/tlsserverciphers

Then remove the ciphers that PCI are complaining about. In this case they were: EXP-RC2-CBC-MD5, EXP-RC4-MD5, EXP-EDH-RSA-DES-CBC-SHA, EXP-DES-CBC-SHA, EXP-RC2-CBC-MD5, EXP-RC4-MD5, EXP-EDH-RSA-DES-CBC-SHA, EXP-DES-CBC-SHA, EXP-RC2-CBC-MD5,EXP-RC4-MD5

Or, even better:

Directory: /etc/httpd/conf.d/
File: /etc/httpd/conf.d/zz050-psa-disable-weak-ssl-ciphers.conf
SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
SSLProtocol -ALL +SSLv3 +TLSv1 -SSLv2

Directory: /var/qmail/control/
[root@server control]# cat tlsserverciphers
ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:+HIGH:!MEDIUM:-SSLv2
[root@server1 control]# cat tlsclientciphers
ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:-SSLv2

Directory: /etc/courier-imap
[root@server courier-imap]# grep TLS_CIPHER_LIST= *-ssl
imapd-ssl:TLS_CIPHER_LIST=”HIGH:MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH”
pop3d-ssl:TLS_CIPHER_LIST=”HIGH:MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH”

I tested this by removing one of the above and trying to connect:

# openssl s_client -cipher EXP-RC4-MD5 -connect localhost:smtps
CONNECTED(00000003)
25857:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:489:

Then I put it back in the list and tried again and could connect again.  Manually connections with: openssl s_client -ssl2 -connect host:port

Update 25/02/2010:

Additional URLs:

Tags: Linux · Operating System

0 responses so far ↓

  • There are no comments yet...

Leave a Comment