The remote service supports the use of medium strength SSL ciphers errors in PCI scan

StackOverflow https://stackoverflow.com/questions/4547280

Question

I received this error when my server was scanned for PCI compliance. I was wondering if it may be because I shut off iptables. I do not want to ask them to scan it again until I am sure that it will pass. My first question is, is there any way to scan for this myself? My other question is, does iptables being turned off the actual problem?

Below are just a few errors I am getting:

  • TCP 443 https - The remote service supports the use of weak SSL ciphers
  • TCP 465 urd - The remote service accepts connections encrypted using SSL 2.0
  • TCP 993 imaps - The remote services encrypts traffic using a protocol with known weaknesses
  • TCP 995 pop3s - The remote service accepts connections encrypted using SSL 2.0

Thanks for your time.

Was it helpful?

Solution

The errors are not specifically anything to do with iptables - they are indicating that the highlighted services are configured to support SSL in a weak or insecure manner.

However, if you do not intend to provide mail services to the outside world, then you should be disabling the SMTPS, IMAPS and POP3S services running on ports 465, 993 and 995 respectively (or blocking them with iptables).

In addition, presuming that you do intend to provide HTTPS services, you will need to fix the SSL configuration of the web server that you have listening. You will want to configure it to support only TLS 1.0 connections, and only strong ciphers. For help with this, ServerFault is the right site.

OTHER TIPS

If you are using Apache you need to adjust some settings in your ssl.conf file. The important ones are SSLProtocol and SSLCipherSuite. The following settings worked for me but YMMV. You may need to add these to the VirtualHost container for your site and not simply adjust the existing ones in the default container.

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:!MEDIUM:+HIGH

Try these and then use one of the scanning tools below to do a free scans to see what ciphers your site is making available...

https://www.ssllabs.com/ssldb/index.html

http://www.serversniff.net/content.php?do=ssl

http://www.sslshopper.com/ssl-checker.html

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top