1.  Home
  2. MIDRANGE-L
  3. January 2017

SSL cipher list and PCI

Our PCI external scanner send us the issue below, requesting us to remove cipher DES-CBC3-SHA. Our list of ciphers in QSSLCSL (also below) does not show this cipher being used. Would anyone know if the list IBM uses is the standard name others would use for the same cipher? Or is there another place for me to look for the ciphers we are using other than the QSSLCSL list? (p.s. we do still have to allow for TLSV1 as one of our external vendors has not removed that yet – planned for April of this year)

Thanks
Mike Cunningham

FAIL
Port 443
Protocol TCP
Service www
Title SSL Medium Strength Cipher Suites Supported

Synopsis:
The remote service supports the use of medium strength SSL ciphers.
Impact:
The remote host supports the use of SSL ciphers that offer medium strength encryption. SecurityMetrics regards medium strength as any encryption that uses key lengths at least 56 bits and less than 112 bits, or else that uses the 3DES encryption suite. Note that it is considerably easier to circumvent medium strength encryption if the attacker is on the same physical network. See also : https://www.openssl.org/blog/blog/2016/08/24/sweet32/
Resolution:
Reconfigure the affected application if possible to avoid use of medium strength ciphers.
Data Received:
Here is the list of medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (> 64-bit and < 112-bit key) TLSv1 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}



System value . . . . . : QSSLCSL
Description . . . . . : Secure sockets layer cipher specification list


Sequence Cipher
number Suite
0
10 *RSA_AES_128_CBC_SHA
20 *RSA_RC4_128_SHA
30 *RSA_RC4_128_MD5
40 *RSA_AES_256_CBC_SHA
50 *RSA_3DES_EDE_CBC_SHA
60 *RSA_DES_CBC_SHA
70 *RSA_EXPORT_RC4_40_MD5
80 *RSA_EXPORT_RC2_CBC_40_MD5
90 *RSA_NULL_SHA
100 *RSA_NULL_MD5
Bottom

________________________________
This email may contain confidential information about a Pennsylvania College of Technology student. It is intended solely for the use of the recipient. This email may contain information that is considered an “educational record” subject to the protections of the Family Educational Rights and Privacy Act Regulations. The regulations may be found at 34 C.F.R. Part 99 for your reference. The recipient may only use or disclose the information in accordance with the requirements of the Federal Educational Rights and Privacy Act Regulations. If you have received this transmission in error, please notify the sender immediately and permanently delete the email.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.