tag:blogger.com,1999:blog-7267320703085764135.post9136266752224235795..comments2023-09-30T05:22:48.379-07:00Comments on Zen One: PCI Compliance - Disable SSLv2 and Weak CiphersStevehttp://www.blogger.com/profile/05731012323706683031noreply@blogger.comBlogger43125tag:blogger.com,1999:blog-7267320703085764135.post-18795289380470702502012-08-24T21:25:08.520-07:002012-08-24T21:25:08.520-07:00Amazing guide. Thank you.Amazing guide. Thank you.uk vpnhttp://www.superbvpn.com/vpn-uknoreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-54969370141937786982012-01-20T06:06:25.245-08:002012-01-20T06:06:25.245-08:00hi..interesting article and thanks for the info..
...hi..interesting article and thanks for the info..<br /><br />Weve applied the "fixes" onto 4 of our servers..all the same setup/implementation etc yet this has only blocked SSLv2 on two of them and not the others...Anybody seen this before or any ideas please??? Weve checked registry settings/spelling/hex/dec values/rebooted etc TIA.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-31945630677410951232011-10-10T22:57:49.202-07:002011-10-10T22:57:49.202-07:00Tried this over the weekend and it worked perfectl...Tried this over the weekend and it worked perfectly. Thanksus vpnhttp://www.foxyvpn.com/noreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-8605900744032968032011-06-02T20:01:13.260-07:002011-06-02T20:01:13.260-07:00Thank you much. This was very helpful in my first ...Thank you much. This was very helpful in my first PCI compliance scan/fix.stagnanthttps://www.blogger.com/profile/07717407667299247909noreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-61592820765428544852011-05-11T16:15:54.538-07:002011-05-11T16:15:54.538-07:00Hello,
I have created a simple free tool that all...Hello,<br /><br />I have created a simple free tool that allows you to disable all weak ciphers on Windows Server 2003/2008. It also has a template button for PCI and FIPS-140 compliance. Check out <a href="https://www.nartac.com/Products/IISCrypto/Default.aspx" rel="nofollow">IIS Crypto</a><br /><br />Let me know what you think, thanks!Jeffhttps://www.blogger.com/profile/06131778196655292199noreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-86525612788290753422011-03-29T07:29:37.834-07:002011-03-29T07:29:37.834-07:00Hi, does the DSS specifically state you can not us...Hi, does the DSS specifically state you can not use ssl v2? I don't see that even in version 2.0 of the DSS. I thought you only had to disable the weak ciphers.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-75889043298406932662011-03-10T07:27:17.074-08:002011-03-10T07:27:17.074-08:00Has anyone (instead of completely disabling SSLv2 ...Has anyone (instead of completely disabling SSLv2 / Weak Ciphers) successfully put in a redirect? I am getting pressure to land our customers who have out of date browsers onto a page that gives them a link to go and upgrade their browser instead. They still can't continue to our website so in effect, we have disabled SSLv2 support. Wondering if we can pass a PCI ASV scan with this approach?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-3092987726013128962011-02-23T02:35:12.260-08:002011-02-23T02:35:12.260-08:00PCI DSS is a real pain but important, the diy appr...PCI DSS is a real pain but important, the diy approach is becoming hard and hard this is one of the reasons I use a hosted solution (SaaS)for my e commerce site, take to problem out of my hands, as long as they are PCI compliant then all well <br /><br /> Ant<br /><a href="http://www.kaybeedoors.co.uk/doors/INTERNAL-DOORS/" rel="nofollow">internal doors</a>anthttp://http;//www.kaybeedoors.co.uknoreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-86509486084651624662011-02-16T09:49:44.734-08:002011-02-16T09:49:44.734-08:00Thank you for the great post, it has helped me mov...Thank you for the great post, it has helped me move forward in becoming PCI compliant. However, my situation is that after following your guide, I still have SSLv2 and weak ciphers for a few ports. Following your instructions helped a few problems, but not all. Any clues on where I should look next to take care of this? I have a virtual dedicated hosting plan running CentOS 5.5. Thank you.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-27218306216484515712010-12-29T11:24:33.032-08:002010-12-29T11:24:33.032-08:00Just so you know, this is a perfect post in regard...Just so you know, this is a perfect post in regards to a simple way to test and disable sslv2. I had to request 2 scans that failed before I found this wonderful post... Thanks so much and keep writing!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-58039042007577489762010-11-17T23:30:53.142-08:002010-11-17T23:30:53.142-08:00I've recently started a blog, the information ...I've recently started a blog, the information you provide on this site has helped me tremendously. Thank you for all of your time & work.windows 7 starterhttp://www.windows7-key.net/noreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-30310512630286573922010-09-20T09:43:28.821-07:002010-09-20T09:43:28.821-07:00I could use some help I am failing a PCI DSS scan ...I could use some help I am failing a PCI DSS scan and I read thru the blog and noticed I am not running any kind of open ssl or Apache it looks like. I am running Server 2003 R2 Standard sp2 with IIS6 I have made the changes to the registry for the ciphers but still getting failed scans. Look forward to the comments and suggestions.Zgnf05noreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-48397389235270934672010-08-21T01:27:56.034-07:002010-08-21T01:27:56.034-07:00Thanks this is the info: Apache/2.2.9 (Debian) PHP...Thanks this is the info: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0 Server at www.privatebox.co.nz Port 80<br /><br />We are getting from firefox 4.3 ssl_error_renegotiation_not_allowed<br /><br />do you have any suggestions? I do not want to give out our website as it will appear on a google search.Daveonzhttps://www.blogger.com/profile/17961371152751851154noreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-28048724802399794192010-08-21T00:16:08.028-07:002010-08-21T00:16:08.028-07:00#Steveonz - Not sure what you're running on yo...#Steveonz - Not sure what you're running on your end, but for starters, make sure OpenSSL is updated (anything prior to 0.9.8l will pose a problem). As well, make sure mod_ssl in Apache is updated (v2.2.14 and earlier will be an issue).Steve Zenonehttps://www.blogger.com/profile/18092491053989613420noreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-46510839883408163982010-08-20T23:31:19.043-07:002010-08-20T23:31:19.043-07:00Hey,
We have disabled SSLv2 and weak Cyphers but ...Hey,<br /><br />We have disabled SSLv2 and weak Cyphers but this is causing issues on firefox b 4.3 and OSX Chrome.<br /><br />This is what firefox state: SSL3 & TLS Renegotiation Vulnerability<br /><br /> See CVE-2009-3555 and US-CERT VU#120541 for more information about this security vulnerability.<br /><br /> All SSL/TLS renegotiation is disabled by default in NSS 3.12.5. This will cause programs that attempt to perform renegotiation to experience failures where they formerly experienced successes, and is necessary for them to not be vulnerable, until such time as a new safe renegotiation scheme is standardized by the IETF.<br /><br /><br />What can be done?Daveonzhttps://www.blogger.com/profile/17961371152751851154noreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-21733212917947476772010-06-01T02:13:23.142-07:002010-06-01T02:13:23.142-07:00Hello there, quick question, I've modified the...Hello there, quick question, I've modified the SSLCipherSuite string as suggested then restart Apache<br /><br />SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM<br /><br />However, to verify it's working I'm using Nessus which once again shows that I'm using weak/medium strenght cipher suite.<br /><br />I've read something that might be the browsers, I mean, you've configured correctly the server but if the browser doesn't accept STRONG ciphers, then the cipher is downgraded or something like that, so I'm wondering if this could be the reason of the findings in Nessus. Any suggestion?<br /><br />Thx!ViKBaNghttps://www.blogger.com/profile/14550343642911150132noreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-31086329512240688832010-04-26T09:25:42.695-07:002010-04-26T09:25:42.695-07:00Anonymous wrote:
> Is there a script or any too...Anonymous wrote:<br />> Is there a script or any tool that <br />> can check SSL with this condition:<br /><br />Check out SSLscan:<br />http://sourceforge.net/projects/sslscan/Steve Zenonehttps://www.blogger.com/profile/18092491053989613420noreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-62150221544101780032010-04-25T16:47:12.036-07:002010-04-25T16:47:12.036-07:00Hi,
Is there a script or any tool that can check ...Hi,<br /><br />Is there a script or any tool that can check SSL with this condition:<br /><br /><br /> * SSL Server Allows Cleartext Encryption<br /> * SSL Server May Be Forced to Use Weak Encryption<br /> * SSL Server Allows Anonymous Authentication<br /><br /><br />ThanksAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-75628164673730049792010-04-16T15:34:55.520-07:002010-04-16T15:34:55.520-07:00The Microsoft KB article worked like a champ. The ...The Microsoft KB article worked like a champ. The only catch for me was when I got to the end of the registry key the final key "Server" was not present on my machine so I had to create a Key named "server" then place a new DWORD, name it "Enabled" within the key and set the Hex value to 00000000. Reboot, and then all was good.Jonny Bnoreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-44598351066967096522010-03-07T02:57:40.362-08:002010-03-07T02:57:40.362-08:00Clear and straight to the point. Thanks.Clear and straight to the point. Thanks.Marconoreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-19303627203268902862010-01-12T10:06:49.098-08:002010-01-12T10:06:49.098-08:00fyi, sslscan can be found here: http://sourceforge...fyi, sslscan can be found here: http://sourceforge.net/projects/sslscan/jcranhttp://www.0x0e.orgnoreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-75987543127034830802010-01-12T10:05:17.718-08:002010-01-12T10:05:17.718-08:00sslscan is an (easier) way to do this. it lists al...sslscan is an (easier) way to do this. it lists all ciphers: <br /><br /> jcran@aldatmak:~$ sslscan www.google.com| grep -i accepted<br /> Accepted SSLv3 256 bits AES256-SHA<br /> Accepted SSLv3 128 bits AES128-SHA<br /> Accepted SSLv3 168 bits DES-CBC3-SHA<br /> Accepted SSLv3 128 bits RC4-SHA<br /> Accepted SSLv3 128 bits RC4-MD5<br /> Accepted TLSv1 256 bits AES256-SHA<br /> Accepted TLSv1 128 bits AES128-SHA<br /> Accepted TLSv1 168 bits DES-CBC3-SHA<br /> Accepted TLSv1 128 bits RC4-SHA<br /> Accepted TLSv1 128 bits RC4-MD5jcranhttp://www.0x0e.orgnoreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-75950833940388783662010-01-11T18:25:51.647-08:002010-01-11T18:25:51.647-08:00very informative! Thanks!very informative! Thanks!Alberto Siowhttps://www.blogger.com/profile/12194695190087628573noreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-25326720731735289612010-01-05T21:56:19.726-08:002010-01-05T21:56:19.726-08:00Hi,
We are planning to upgrade IIS from SSL v2 to ...Hi,<br />We are planning to upgrade IIS from SSL v2 to v3. If the secure sites have server certificates installed, what changes need to be done? Do we need to reinstall the certificates? What other configuration changes have to be done?Anonymoushttps://www.blogger.com/profile/09082253098863949988noreply@blogger.comtag:blogger.com,1999:blog-7267320703085764135.post-55488628332680069242010-01-03T18:18:35.878-08:002010-01-03T18:18:35.878-08:00Good one..Good one..Kaila Balahttps://www.blogger.com/profile/16891167851951014656noreply@blogger.com