1.  Home
  2. MIDRANGE-L
  3. January 2017

Re: SSL cipher list and PCI

This article written by Steve Pitcher might help.
IBM did late November or early December recommend removing the block
ciphers.

http://www.mcpressonline.com/current-events-commentary/commentary/hardening-your-ibm-i-ciphers

Jim

Jim W Grant
Senior VP, Chief Information Officer
Web: www.pdpgroupinc.com




From: Mike Cunningham <mike.cunningham@xxxxxxx>
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Cc: Randy Monroe <rmonroe@xxxxxxx>, Jim Williams Jr
<Jim.Williams@xxxxxxx>
Date: 01/13/2017 09:37 AM
Subject: SSL cipher list and PCI
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>



Our PCI external scanner send us the issue below, requesting us to remove
cipher DES-CBC3-SHA. Our list of ciphers in QSSLCSL (also below) does not
show this cipher being used. Would anyone know if the list IBM uses is the
standard name others would use for the same cipher? Or is there another
place for me to look for the ciphers we are using other than the QSSLCSL
list? (p.s. we do still have to allow for TLSV1 as one of our external
vendors has not removed that yet ? planned for April of this year)

Thanks
Mike Cunningham

FAIL
Port 443
Protocol TCP
Service www
Title SSL Medium Strength Cipher Suites Supported

Synopsis:
The remote service supports the use of medium strength SSL ciphers.
Impact:
The remote host supports the use of SSL ciphers that offer medium strength
encryption. SecurityMetrics regards medium strength as any encryption that
uses key lengths at least 56 bits and less than 112 bits, or else that
uses the 3DES encryption suite. Note that it is considerably easier to
circumvent medium strength encryption if the attacker is on the same
physical network. See also :
https://www.openssl.org/blog/blog/2016/08/24/sweet32/
Resolution:
Reconfigure the affected application if possible to avoid use of medium
strength ciphers.
Data Received:
Here is the list of medium strength SSL ciphers supported by the remote
server : Medium Strength Ciphers (> 64-bit and < 112-bit key) TLSv1
DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1 The fields above are
: {OpenSSL ciphername} Kx={key exchange} Au={authentication}
Enc={symmetric encryption method} Mac={message authentication code}
{export flag}



System value . . . . . : QSSLCSL
Description . . . . . : Secure sockets layer cipher specification list


Sequence Cipher
number Suite
0
10 *RSA_AES_128_CBC_SHA
20 *RSA_RC4_128_SHA
30 *RSA_RC4_128_MD5
40 *RSA_AES_256_CBC_SHA
50 *RSA_3DES_EDE_CBC_SHA
60 *RSA_DES_CBC_SHA
70 *RSA_EXPORT_RC4_40_MD5
80 *RSA_EXPORT_RC2_CBC_40_MD5
90 *RSA_NULL_SHA
100 *RSA_NULL_MD5
Bottom

________________________________
This email may contain confidential information about a Pennsylvania
College of Technology student. It is intended solely for the use of the
recipient. This email may contain information that is considered an
?educational record? subject to the protections of the Family Educational
Rights and Privacy Act Regulations. The regulations may be found at 34
C.F.R. Part 99 for your reference. The recipient may only use or disclose
the information in accordance with the requirements of the Federal
Educational Rights and Privacy Act Regulations. If you have received this
transmission in error, please notify the sender immediately and
permanently delete the email.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.