Wednesday, March 18, 2009

PCI Compliance - Disable SSLv2 and Weak Ciphers

According to section 4.1 of the the Payment Card Industry Data Security Standard (PCI-DSS) v1.2, merchants handling credit card data are required to “use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.”

What does this mean? In order to validate your PCI DSS compliance in this area you will need to ensure that your relevant server(s) within your PCI environment are configured to disallow Secure Sockets Layer (SSL) version 2 as well as "weak" cryptography. You are also required to have quarterly PCI security vulnerability scans conducted against your externally facing PCI systems. Without disabling SSLv2 and weak ciphers you are almost guaranteed to fail the scans. In turn this will lead to falling out of compliance along with the associated risks and consequences.

The SSLv2 Conundrum

Does your server support SSLv2?

How to test:

You will need to have OpenSSL installed on the system that you will perform the tests from. Once installed, use the following command to test your web server, assuming port 443 is where you're providing https connections:

# openssl s_client -ssl2 -connect SERVERNAME:443

If the server does not support SSLv2 you should receive an error similar to the following:

# openssl s_client -ssl2 -connect SERVERNAME:443

CONNECTED(00000003)

458:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:

How to configure Apache v2 to not accept SSLv2 connections:

You will need to modify the SSLCipherSuite directive in the httpd.conf or ssl.conf file.

An example would be editing the following lines to look similar to:

SSLProtocol -ALL +SSLv3 +TLSv1

Restart the Apache process and ensure that the server is functional. Also retest using OpenSSL to confirm that SSLv2 is no longer accepted.

How to configure Microsoft IIS to not accept SSLv2 connections:

You will need to modify the system’s registry.

Merge the following keys to the Windows registry:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]

"Enabled"=dword:00000000

Restart the system and ensure that the server is functional. Also retest using OpenSSL to confirm that SSLv2 is no longer accepted.

Those Pesky Weak SSL Ciphers

Does your server support weak SSL ciphers?

How to test:

You will need to have OpenSSL installed on the system that you will perform the tests from. Once installed, use the following command to test your web server, assuming port 443 is where you're providing https connections:

# openssl s_client -connect SERVERNAME:443 -cipher LOW:EXP

If the server does not support weak ciphers you should receive an error similar to the following:

# openssl s_client -connect SERVERNAME:443 -cipher LOW:EXP

CONNECTED(00000003)

461:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226:

How to configure Apache v2 to not accept weak SSL ciphers:

You will need to modify the SSLCipherSuite directive in the httpd.conf or ssl.conf file.

An example would be editing the following lines to look similar to:

SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Restart the Apache process and ensure that the server is functional. Also retest using OpenSSL to confirm that weak SSL ciphers are no longer accepted.


How to configure Microsoft IIS to not accept weak SSL ciphers:

You will need to modify the system’s registry.

Merge the following keys to the Windows registry:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]

"Enabled"=dword:0000000

Restart the system and ensure that the server is functional. Also retest using OpenSSL to confirm that weak SSL ciphers are no longer accepted..

At this point have your Approved Scanning Vendor (ASV) scan your external facing PCI environment to validate. Making the above changes should cause the ASV scans to not tag and fail you on the following vulnerabilities:

  • SSL Server Supports Weak Encryption
  • SSL Server Allows Cleartext Encryption
  • SSL Server May Be Forced to Use Weak Encryption
  • SSL Server Allows Anonymous Authentication

Steve

###

46 comments:

Vladi said...

Very informative and well-written. Thanks a lot.

Suggestions for improvements:

Why not list all weak ciphers?

How do I disable weak ciphers with Apache v1, instructions in the blog are written for Apache v2.

Steve Zenone said...

Vladi - thank you for the suggestions. I've made a couple of adjustments to the blog post:

1. Stated that the instructions for Apache are for version 2.
2. Included additional weak ciphers to be disabled within SSLCipherSuite, including null ciphers.

I recommend upgrading to Apache 2...if possible. Apache 2 fixes a number of vulnerabilities in the Apache version 1 series.

For fun (haha...really), the following command will list all weak ciphers supported by the system:

openssl ciphers -v 'SSLv3:+HIGH:-MEDIUM:-LOW'

The output from that list can be massaged into the SSLCipherSuite option. As a sanity check, make sure that the ciphers listed within SSLCipherSuite aren't actually supported strong ciphers that you want. The following command will list all supported strong ciphers for the sanity comparison:

openssl ciphers -v 'HIGH:+MEDIUM:-LOW'

-Steve

MadHat Unspecific said...

Nice complete article.

I threw together a tool to list all supported ciphers and SSL features supported.

SSL-Cipher-Check.

It's just a wrapper for openssl and gnutls but many have found it useful.

Steve Zenone said...

MadHat - thanks for including the link to your scripts for identifying supported SSL ciphers. Good stuff!

lillian said...

I recently came across your blog and have been reading along. I thought I would leave my first comment. I don't know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often.


Sarah

http://adoptpet.info

MadHat Unspecific said...

Thanks

Feedback and requests for features are welcome.

Not sure what else would be useful right now.

Scan multiple hosts, network segments? Different output format?

jamespwalters said...

That's for the article it worked great for IIS. But I also have OpenSSL on my Windows 2000 Server and I can't figure out how to disable weak ciphers.

Thanks for your help.

Adnan said...

Thanks
Great article. very helpful.
Adnan

Steve Zenone said...

jamespwalters - my strong recommendation is to move away from Windows 2000 if you're supporting a service that requires PCI compliance.

ThePlayer said...

Great, great well written post!

Silly Question, but why not use
"SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH"

instead of

"SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM"

to leave out MEDIUM ciphers when configuring apache/modssl?

Pete said...

I created a tool for doing this on IIS: http://foundeo.com/products/iis-weak-ssl-ciphers/

Steve Horne said...

Yes! I finally got my website to pass the Security Metrics PCI Compliance test with the "Disable SSLv2and weak ciphers" problem being the last painful hurdle! Thanks to the discussion here I finally got it - thanks for the clear and concise information.

Ricky Staniforth said...

Does anyone know how to do this on Ubuntu server please? These instructions don;t seem to work and SSLv2 is still alive and kicking :(

JC said...

tried these steps in Apache 2.2.3 on CentOS 5.2 box, restarted service and system as well but no avail. No error but SSLv2 still there and not able to connect to SSLv3. Pls suggest.

JC said...

tried on Apache 2.2.3 (centOS 5.2). Restarted service and system as well but no avail. SSLv2 still there and giving error while trying connecting to SSLv3. pls suggest.

Alan said...

I have the weak SSLCiphers for different ports and SSLb2 for my mail serverice.

I followed instruction here. It didn't solve the problem. My question is how do I know if I have updated conf files for all ports?

Alan

Jess M said...

I am looking to disable ssl v2. I'm wondering what happens if a customer hits my site with one of these old browsers and trys to checkout with v2 if I've disabled it.

Chris said...

You may have to add the SSL directives in the Virtual Host record for your domain, not the general SSL directives. Depending on your server config, your Virtual Host config for SSL may be in either httpd.conf or the ssl.conf file.

@Jess M - 128 bit encryption has been around in IE since v5. If their browser is not up to par, they get an error message...

Bala said...

Good one...

Bala said...

Good one..

Amshu said...

Hi,
We are planning to upgrade IIS from SSL v2 to v3. If the secure sites have server certificates installed, what changes need to be done? Do we need to reinstall the certificates? What other configuration changes have to be done?

Alberto Siow said...

very informative! Thanks!

jcran said...

sslscan is an (easier) way to do this. it lists all ciphers:

jcran@aldatmak:~$ sslscan www.google.com| grep -i accepted
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Accepted SSLv3 128 bits RC4-SHA
Accepted SSLv3 128 bits RC4-MD5
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5

jcran said...

fyi, sslscan can be found here: http://sourceforge.net/projects/sslscan/

Marco said...

Clear and straight to the point. Thanks.

Jonny B said...

The Microsoft KB article worked like a champ. The only catch for me was when I got to the end of the registry key the final key "Server" was not present on my machine so I had to create a Key named "server" then place a new DWORD, name it "Enabled" within the key and set the Hex value to 00000000. Reboot, and then all was good.

Anonymous said...

Hi,

Is there a script or any tool that can check SSL with this condition:


* SSL Server Allows Cleartext Encryption
* SSL Server May Be Forced to Use Weak Encryption
* SSL Server Allows Anonymous Authentication


Thanks

Interior Doors said...

Thanks alot!

Steve Zenone said...

Anonymous wrote:
> Is there a script or any tool that
> can check SSL with this condition:

Check out SSLscan:
http://sourceforge.net/projects/sslscan/

ViKBaNg said...

Hello there, quick question, I've modified the SSLCipherSuite string as suggested then restart Apache

SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

However, to verify it's working I'm using Nessus which once again shows that I'm using weak/medium strenght cipher suite.

I've read something that might be the browsers, I mean, you've configured correctly the server but if the browser doesn't accept STRONG ciphers, then the cipher is downgraded or something like that, so I'm wondering if this could be the reason of the findings in Nessus. Any suggestion?

Thx!

Steveonz said...

Hey,

We have disabled SSLv2 and weak Cyphers but this is causing issues on firefox b 4.3 and OSX Chrome.

This is what firefox state: SSL3 & TLS Renegotiation Vulnerability

See CVE-2009-3555 and US-CERT VU#120541 for more information about this security vulnerability.

All SSL/TLS renegotiation is disabled by default in NSS 3.12.5. This will cause programs that attempt to perform renegotiation to experience failures where they formerly experienced successes, and is necessary for them to not be vulnerable, until such time as a new safe renegotiation scheme is standardized by the IETF.


What can be done?

Steve Zenone said...

#Steveonz - Not sure what you're running on your end, but for starters, make sure OpenSSL is updated (anything prior to 0.9.8l will pose a problem). As well, make sure mod_ssl in Apache is updated (v2.2.14 and earlier will be an issue).

Steveonz said...

Thanks this is the info: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0 Server at www.privatebox.co.nz Port 80

We are getting from firefox 4.3 ssl_error_renegotiation_not_allowed

do you have any suggestions? I do not want to give out our website as it will appear on a google search.

Zgnf05 said...

I could use some help I am failing a PCI DSS scan and I read thru the blog and noticed I am not running any kind of open ssl or Apache it looks like. I am running Server 2003 R2 Standard sp2 with IIS6 I have made the changes to the registry for the ciphers but still getting failed scans. Look forward to the comments and suggestions.

windows 7 starter said...

I've recently started a blog, the information you provide on this site has helped me tremendously. Thank you for all of your time & work.

Anonymous said...

Just so you know, this is a perfect post in regards to a simple way to test and disable sslv2. I had to request 2 scans that failed before I found this wonderful post... Thanks so much and keep writing!

Anonymous said...

Thank you for the great post, it has helped me move forward in becoming PCI compliant. However, my situation is that after following your guide, I still have SSLv2 and weak ciphers for a few ports. Following your instructions helped a few problems, but not all. Any clues on where I should look next to take care of this? I have a virtual dedicated hosting plan running CentOS 5.5. Thank you.

ant said...

PCI DSS is a real pain but important, the diy approach is becoming hard and hard this is one of the reasons I use a hosted solution (SaaS)for my e commerce site, take to problem out of my hands, as long as they are PCI compliant then all well

Ant
internal doors

Anonymous said...

Has anyone (instead of completely disabling SSLv2 / Weak Ciphers) successfully put in a redirect? I am getting pressure to land our customers who have out of date browsers onto a page that gives them a link to go and upgrade their browser instead. They still can't continue to our website so in effect, we have disabled SSLv2 support. Wondering if we can pass a PCI ASV scan with this approach?

Anonymous said...

Hi, does the DSS specifically state you can not use ssl v2? I don't see that even in version 2.0 of the DSS. I thought you only had to disable the weak ciphers.

Jeff said...

Hello,

I have created a simple free tool that allows you to disable all weak ciphers on Windows Server 2003/2008. It also has a template button for PCI and FIPS-140 compliance. Check out IIS Crypto

Let me know what you think, thanks!

stagnant said...

Thank you much. This was very helpful in my first PCI compliance scan/fix.

us vpn said...

Tried this over the weekend and it worked perfectly. Thanks

Anonymous said...

Hi there All

I'm having issues to b PCI compliment
But they weird thing is i ve got no IIS or Apache or any web service running on that IP
This is where it all starts
TCP Port:88 Risk:4 result FAIL
Description: SSL server accepts weak ciphers Severity: Potential Problem Impact: A remote attacker with the ability to sniff network traffic could decrypt an encrypted session
On Netstat
Proto Local Address Foreign Address State PID
TCP 192.168.100.150:88 192.168.100.29:1755 CLOSE_WAIT 972
Tasklist
PID 972 is used by lsass.exe 972 Service
its somehow related to Kerberos don't know why Can anyone help ?/
Thx

Anonymous said...

hi..interesting article and thanks for the info..

Weve applied the "fixes" onto 4 of our servers..all the same setup/implementation etc yet this has only blocked SSLv2 on two of them and not the others...Anybody seen this before or any ideas please??? Weve checked registry settings/spelling/hex/dec values/rebooted etc TIA.

uk vpn said...

Amazing guide. Thank you.