Comments on Zen One: PCI Compliance - Disable SSLv2 and Weak Ciphers

hi..interesting article and thanks for the info.. ...

2012-01-20T06:06:25.245-08:00

hi..interesting article and thanks for the info..

Weve applied the "fixes" onto 4 of our servers..all the same setup/implementation etc yet this has only blocked SSLv2 on two of them and not the others...Anybody seen this before or any ideas please??? Weve checked registry settings/spelling/hex/dec values/rebooted etc TIA.

Hi there All I'm having issues to b PCI comp...

2011-12-20T08:27:25.552-08:00

Hi there All

I'm having issues to b PCI compliment
But they weird thing is i ve got no IIS or Apache or any web service running on that IP
This is where it all starts
TCP Port:88 Risk:4 result FAIL
Description: SSL server accepts weak ciphers Severity: Potential Problem Impact: A remote attacker with the ability to sniff network traffic could decrypt an encrypted session
On Netstat
Proto Local Address Foreign Address State PID
TCP 192.168.100.150:88 192.168.100.29:1755 CLOSE_WAIT 972
Tasklist
PID 972 is used by lsass.exe 972 Service
its somehow related to Kerberos don't know why Can anyone help ?/
Thx

Tried this over the weekend and it worked perfectl...

2011-10-10T22:57:49.202-07:00

Tried this over the weekend and it worked perfectly. Thanks

Thank you much. This was very helpful in my first ...

2011-06-02T20:01:13.260-07:00

Thank you much. This was very helpful in my first PCI compliance scan/fix.

Hello, I have created a simple free tool that all...

2011-05-11T16:15:54.538-07:00

Hello,

I have created a simple free tool that allows you to disable all weak ciphers on Windows Server 2003/2008. It also has a template button for PCI and FIPS-140 compliance. Check out IIS Crypto

Let me know what you think, thanks!

Hi, does the DSS specifically state you can not us...

2011-03-29T07:29:37.834-07:00

Hi, does the DSS specifically state you can not use ssl v2? I don't see that even in version 2.0 of the DSS. I thought you only had to disable the weak ciphers.

Has anyone (instead of completely disabling SSLv2 ...

2011-03-10T07:27:17.074-08:00

Has anyone (instead of completely disabling SSLv2 / Weak Ciphers) successfully put in a redirect? I am getting pressure to land our customers who have out of date browsers onto a page that gives them a link to go and upgrade their browser instead. They still can't continue to our website so in effect, we have disabled SSLv2 support. Wondering if we can pass a PCI ASV scan with this approach?

PCI DSS is a real pain but important, the diy appr...

2011-02-23T02:35:12.260-08:00

PCI DSS is a real pain but important, the diy approach is becoming hard and hard this is one of the reasons I use a hosted solution (SaaS)for my e commerce site, take to problem out of my hands, as long as they are PCI compliant then all well

Ant
internal doors

Thank you for the great post, it has helped me mov...

2011-02-16T09:49:44.734-08:00

Thank you for the great post, it has helped me move forward in becoming PCI compliant. However, my situation is that after following your guide, I still have SSLv2 and weak ciphers for a few ports. Following your instructions helped a few problems, but not all. Any clues on where I should look next to take care of this? I have a virtual dedicated hosting plan running CentOS 5.5. Thank you.

Just so you know, this is a perfect post in regard...

2010-12-29T11:24:33.032-08:00

Just so you know, this is a perfect post in regards to a simple way to test and disable sslv2. I had to request 2 scans that failed before I found this wonderful post... Thanks so much and keep writing!

I've recently started a blog, the information ...

2010-11-17T23:30:53.142-08:00

I've recently started a blog, the information you provide on this site has helped me tremendously. Thank you for all of your time & work.

I could use some help I am failing a PCI DSS scan ...

2010-09-20T09:43:28.821-07:00

I could use some help I am failing a PCI DSS scan and I read thru the blog and noticed I am not running any kind of open ssl or Apache it looks like. I am running Server 2003 R2 Standard sp2 with IIS6 I have made the changes to the registry for the ciphers but still getting failed scans. Look forward to the comments and suggestions.

Thanks this is the info: Apache/2.2.9 (Debian) PHP...

2010-08-21T01:27:56.034-07:00

Thanks this is the info: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0 Server at www.privatebox.co.nz Port 80

We are getting from firefox 4.3 ssl_error_renegotiation_not_allowed

do you have any suggestions? I do not want to give out our website as it will appear on a google search.

#Steveonz - Not sure what you're running on yo...

2010-08-21T00:16:08.028-07:00

#Steveonz - Not sure what you're running on your end, but for starters, make sure OpenSSL is updated (anything prior to 0.9.8l will pose a problem). As well, make sure mod_ssl in Apache is updated (v2.2.14 and earlier will be an issue).

Hey, We have disabled SSLv2 and weak Cyphers but ...

2010-08-20T23:31:19.043-07:00

Hey,

We have disabled SSLv2 and weak Cyphers but this is causing issues on firefox b 4.3 and OSX Chrome.

This is what firefox state: SSL3 & TLS Renegotiation Vulnerability

See CVE-2009-3555 and US-CERT VU#120541 for more information about this security vulnerability.

All SSL/TLS renegotiation is disabled by default in NSS 3.12.5. This will cause programs that attempt to perform renegotiation to experience failures where they formerly experienced successes, and is necessary for them to not be vulnerable, until such time as a new safe renegotiation scheme is standardized by the IETF.

What can be done?

Hello there, quick question, I've modified the...

2010-06-01T02:13:23.142-07:00

Hello there, quick question, I've modified the SSLCipherSuite string as suggested then restart Apache

SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

However, to verify it's working I'm using Nessus which once again shows that I'm using weak/medium strenght cipher suite.

I've read something that might be the browsers, I mean, you've configured correctly the server but if the browser doesn't accept STRONG ciphers, then the cipher is downgraded or something like that, so I'm wondering if this could be the reason of the findings in Nessus. Any suggestion?

Thx!

Anonymous wrote: > Is there a script or any too...

2010-04-26T09:25:42.695-07:00

Anonymous wrote:
> Is there a script or any tool that
> can check SSL with this condition:

Check out SSLscan:
http://sourceforge.net/projects/sslscan/

Thanks alot!

2010-04-26T09:17:22.289-07:00

Thanks alot!

Hi, Is there a script or any tool that can check ...

2010-04-25T16:47:12.036-07:00

Hi,

Is there a script or any tool that can check SSL with this condition:

* SSL Server Allows Cleartext Encryption
* SSL Server May Be Forced to Use Weak Encryption
* SSL Server Allows Anonymous Authentication

Thanks

The Microsoft KB article worked like a champ. The ...

2010-04-16T15:34:55.520-07:00

The Microsoft KB article worked like a champ. The only catch for me was when I got to the end of the registry key the final key "Server" was not present on my machine so I had to create a Key named "server" then place a new DWORD, name it "Enabled" within the key and set the Hex value to 00000000. Reboot, and then all was good.

Clear and straight to the point. Thanks.

2010-03-07T02:57:40.362-08:00

Clear and straight to the point. Thanks.

fyi, sslscan can be found here: http://sourceforge...

2010-01-12T10:06:49.098-08:00

fyi, sslscan can be found here: http://sourceforge.net/projects/sslscan/

sslscan is an (easier) way to do this. it lists al...

2010-01-12T10:05:17.718-08:00

sslscan is an (easier) way to do this. it lists all ciphers:

jcran@aldatmak:~$ sslscan www.google.com| grep -i accepted
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Accepted SSLv3 128 bits RC4-SHA
Accepted SSLv3 128 bits RC4-MD5
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5

very informative! Thanks!

2010-01-11T18:25:51.647-08:00

very informative! Thanks!

Hi, We are planning to upgrade IIS from SSL v2 to ...

2010-01-05T21:56:19.726-08:00

Hi,
We are planning to upgrade IIS from SSL v2 to v3. If the secure sites have server certificates installed, what changes need to be done? Do we need to reinstall the certificates? What other configuration changes have to be done?