Wednesday, March 25, 2015

ssl - Passing PCI Scan on apache 2.2.22



We are on Ubuntu 12.04 and apache 2.2.2 version. We had PCI scan done on our site and 2 vulnerabilities came out that we can not get under control. First one is BEAST attack and other one SSL RC4 Cipher Suites Supported.



So far I have tried following that looks promising. I tried with few more changes after searching for help, but those changes in turn started breaking browsers and were discarded.



SSLProtocol -SSLv2 -TLSv1 +SSLv3

SSLHonorCipherOrder On
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:!MD5:!aNULL:!EDH
SSLCompression off


or



SSLProtocol ALL -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS

SSLCompression off


Based on scan results on ssllabs, I am able to get only one of the vulnerability mitigated.
What changes I need to do so that both vulnerabilities are addressed and does support current version of browsers?


Answer



Well, the mitigation for BEAST (aside from exclusively using TLS 1.1/1.2, which your server can't do right now) is to use RC4.



So, it's probably impossible to configure your server in such a way that it won't be flagged as vulnerable. If you absolutely must get rid of these vulnerabilities, you'll probably need to replace the OS package's OpenSSL installation with a third party package of a newer version, or compiled from source.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...