Addressing PCI SSL weak cipher requirements

For many merchants, the quarterly ASV scan brings back a range of findings relating to weak SSL ciphers and/or implementation of SSLv2 that results in a failing score.

Often this can be a time consuming task to track down the offending systems, identify the changes necessary for that platform and then implement them.

The process itself is not terribly difficult, but it can be time consuming to identify the correct commands necessary to disable the weak ciphers.

In order to make this process a little less painful, the following is a condensed version of fixes for this issue across a range of common web platforms:

F5 BIG-IP

Configuration changes to SSL cipher support are best made via the BIG-IP console.

• Log into the BIG-IP system command line
• Run the following command:

bigpipe profile clientssl <your_ssl_profile_name> { ciphers 'DEFAULT:!ADH:!EXPORT40:!EXP:!LOW' }

• Save the changes:

bigpipe save

Cisco Application Control Engine

In order to define specific SSL cipher support, you will need to establish a dedicated parameter map

• Log into the console as a privileged user.
• Change to config mode.
• Define a new parameter map

parameter-map type ssl <your_map_name>

• The device will now change to 'config-parammap-ssl' mode
• Define the following cipher suites:

cipher RSA_WITH_3DES_EDE_CBC_SHA

cipher RSA_WITH_AES_128_CBC_SHA

cipher RSA_WITH_AES_256_CBC_SHA

• Exit out of config mode
• Write the changes to device memory

Brocade (formerly Foundry) ServerIron

• Firstly, you will need to disable/remove the SSL profile on the affected virtual servers.
• Then, add the following settings to the SSL profile:

disable-ssl-v2
no cipher-suite all-cipher-suites
cipher-suite rsa-with-3des-ede-cbc-sha
cipher-suite rsa-with-aes-128-sha
cipher-suite rsa-with-aes-256-sha
cipher-suite rsa-with-rc4-128-md5
cipher-suite rsa-with-rc4-128-sha

• Once that is done, simply reactive your SSL profile.

Apache v2

• Open the ssl.conf file using your preferred editor
• Set the following directives in your ssl.conf file

 SSLProtocol -all +SSLv3 +TLSv1
 SSLCipherSuite HIGH:!ADH

• Save the changes and exit ssl.conf
• Restart your Apache service.

Microsoft IIS (Version 6 and below)

• Open regedit
• Navigate to the following hive:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers

• Within the hive you will see a number cipher suites available.
• For each of the following cipher suites, add a new DWORD value called "Enabled" with a value of '0':

DES 56/56
NULL
RC2 40/128
RC2 56/128
RC4 40/128
RC4 56/128
RC4 64/128

• Restart the IIS service.

Microsoft IIS 7

• Open regedit
• Navigate to the following hive:

HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\

• Add a new key called "Server"
• For the "Server" key add DWORD 32bit value of "DisabledByDefault" with a hexadecimal value of 1
• Restart the IIS service

WebSEAL

Similar to Apache, WebSEAL uses a single file (webseald.conf) for key configuration items, located at /opt/pdweb/etc/ . Disabling SSLv2 and weak cipher support is quite straightforward.

• Open the webseald.conf file in your favourite editor.
• Identify the following configuration lines:

disable-ssl-v2 = no

disable-ssl-v3 = no

disable-tls-v1 = no

• Set the disable-ssl-v2 property to ‘yes’
• Now locate the ssl-qop-mgmt directive
• Set the property to ‘yes’
• Locate the ssl-qop-mgmt-default directive
• Remove the default = ALL directive and add the following:

default = DES-168

default = RC2-128

default = RC4-128

default = AES-128

default = AES-256

• Save the changes and restart the webseald service

Lotus Domino

SSL ciphers can be modified either via the Domino Administrator tool, or via the notes.ini file. For the purposes of this article, we will be using the Administrator tool.

• Click Configuration and open the Server document in the Domino Directory.
• Select Ports à Internet Ports à Web
• Select ‘Modify’ in the SSL Ciphers field.
• Ensure that only the following ciphers are enabled:

RC4 encryption with 128-bit key and MD5 MAC

RC4 encryption with 128-bit key and SHA-1 MAC

Triple DES encryption with 168-bit key and SHA-1 MAC

AES encryption with 128-bit key and SHA-1 MAC (Domino 8+ only)

AES encryption with 256-bit key and SHA-1 MAC (Domino 8+ only)

·         You should also ensure that ‘Enable SSL v2’ is set to No