Over the coming weeks, I’ll be covering a number of technical aspects required to achieve PCI compliance. For information on what PCI compliance is and when you’ll require it, see this detailed wikipedia entry. For now, let’s move onto our first topic:
Disable SSLv2 and Weak Ciphers
Section 4.1 of the PCI-DSS states that you are required to “Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.”
Put simply; you will need to ensure that any web servers running SSL in your PCI environment, are configured to use strict set of security rules including disallowing Secure Socket Layer (SSL) version 2 as well as all weak cryptography.
Even if you’re not interested in PCI compliance, the techniques documented within are still extremely important as they disable a number of vulnerable protocols and encryption cyphers.
How to test for SSL V2:
In order to perform the following tests, you will need to have OpenSSL installed. Once installed, run the following command:
openssl s_client -ssl2 -connect SERVER:44
If SSL V2 is already disabled, you should see the following:
2295:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:
How to disable SSLv2 in Apache 2:
You will need to replace the SSLProtocol directive in either httpd.conf, apache2.conf or ssl.conf dependant on your distribution.
The following configuration will selectively enable only SSLv3 and TLSv1
SSLProtocol -ALL +SSLv3 +TLSv1
Restart the web service and run the check again to ensure connections are no longer accepted.
How to disable SSL V2 in IIS:
You will need to apply the follow keys into the Windows registry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
“Enabled”=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
“Enabled”=dword:00000000
Restart the server and run the check again to ensure connections are no longer accepted.
How to test for weak cyphers:
In order to perform the following tests, you will need to have OpenSSL installed. Once installed, run the following command. Alternatively, an open source utility known as SSLScan is available to do the checks for you.
# openssl s_client -connect SERVER:443 -cipher LOW:EXP
If weak cyphers are already disabled, you should see the following:
2362:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
How to disable weak cyphers in Apache 2:
You will need to replace the SSLCipherSuite directive in either httpd.conf, apache2.conf or ssl.conf dependant on your distribution.
The following will disable all cyphers except for those classed as high security, and therefore PCI compliant:
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH
Restart the web service and run the check again to ensure connections are no longer accepted.
How to disable weak cyphers in IIS:
You will need to apply the follow keys into the Windows registry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
“Enabled”=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
“Enabled”=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
“Enabled”=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
“Enabled”=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
“Enabled”=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
“Enabled”=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC464/128]
“Enabled”=dword:0000000
Restart the server and run the check again to ensure connections are no longer accepted.
At this point, scans performed against the SSL boxes in your PCI environment should pass all tests covering section 4.2 of the compliance requirements, as well as a number of non-PCI security scans covering SSL vulnerabilities.
Rob Greenwood, Technical Lead
Leave a Reply