LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 02-08-2013, 06:30 AM   #1
fetal
LQ Newbie
 
Registered: Nov 2011
Distribution: Ubuntu 11.04
Posts: 25

Rep: Reputation: Disabled
Question PCI Compliance


Hello,

I'm running into an issue with PCI Compliance from Comodo

Running CentOS 6.

This is what I'm getting on the following ports.

587, 110, 25, 143, 443

Code:
 Security Warning found on port/service "smtp (587/tcp)"
	
																											
	

    Status
		

Fail (This must be resolved for your device to be compliant).

    Plugin
		

 "SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability"
	

    Category
		

 "General "
	
	

    Priority
		

 "Medium Priority
	

    Synopsis
	
	

   It may be possible to obtain sensitive information from the remote
host with SSL/TLS-enabled services.
	
	

    Description
	

    A vulnerability exists in SSL 3.0 and TLS 1.0 that could allow
information disclosure if an attacker intercepts encrypted traffic
served from an affected system.

TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are
not affected.

This script tries to establish an SSL/TLS remote connection using an
affected SSL version and cipher suite, and then solicits return data.
If returned application data is not fragmented with an empty or
one-byte record, it is likely vulnerable.

OpenSSL uses empty fragments as a countermeasure unless the
'SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS' option is specified when OpenSSL
is initialized.

Microsoft implemented one-byte fragments as a countermeasure, and the
setting can be controlled via the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\S
CHANNEL\SendExtraRecord.

Therefore, if multiple applications use the same SSL/TLS
implementation, some may be vulnerable while others may not, depending
on whether or not a countermeasure has been enabled.

Note that this script detects the vulnerability in the SSLv3/TLSv1
protocol implemented in the server. It does not detect the BEAST
attack where it exploits the vulnerability at HTTPS client-side
(i.e., Internet browser). The detection at server-side does not
necessarily mean your server is vulnerable to the BEAST attack
because the attack exploits the vulnerability at client-side, and
both SSL/TLS clients and servers can independently employ the split
record countermeasure.

CVE-2011-3389

Now, all packages are fully updated. I've done some research and tried different configs but can't get anything to pass. sslabs checks out and I don't have beast.

Here is my config and what I've tried.

#PCI COMPLIANCE

SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
SSLProtocol -ALL -SSLv3 +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite RC4-SHA:HIGH:!ADH
SSLInsecureRenegotiation off
#SSLHonorCipherOrder On
#SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
#SSLProtocol ALL -SSLv2 -SSLv3
#SSLCipherSuite HIGH:!aNULL:!MD5
#SSLCipherSuite RC4-SHA:HIGH:!ADH:!AES256-SHA:!ECDHE-RSA-AES256-SHA384:!AES128-SHA:!DES-CBC3-SHA:!DES-CBC3-MD5:!IDEA-CBC-SHA:!RC4-MD5:!IDEA-CBC-MD5:!RC2-CBC-MD5:!MD5:!aNULL:!EDH:!AESGCM
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

Thanks in advance!

Last edited by fetal; 02-08-2013 at 08:59 AM.
 
Old 02-08-2013, 07:08 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,457
Blog Entries: 54

Rep: Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897
Why would you define SSLCipherSuite twice? I see you already "downgraded" to RC4 stream cipher, try setting SSLProtocol to "-ALL -SSLv2 +SSLv3 +TLSv1" and SSLCipherSuite to exclude more than you do right now with "!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5"? And please don't mess with fonts. Completely unnecessary.
 
1 members found this post helpful.
Old 02-08-2013, 08:45 AM   #3
fetal
LQ Newbie
 
Registered: Nov 2011
Distribution: Ubuntu 11.04
Posts: 25

Original Poster
Rep: Reputation: Disabled
Thanks for the reply.

I must have forgot to comment it out. I made the changes and an re-running the scan.
 
Old 02-08-2013, 08:16 PM   #4
fetal
LQ Newbie
 
Registered: Nov 2011
Distribution: Ubuntu 11.04
Posts: 25

Original Poster
Rep: Reputation: Disabled
Failed again, same results.

This is what I have.

#PCI COMPLIANCE

SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
#SSLProtocol -ALL -SSLv3 +TLSv1
#SSLHonorCipherOrder On
SSLProtocol -ALL -SSLv2 +SSLv3 +TLSv1
SSLCipherSuite RC4-SHA:HIGH:!ADH:!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5
SSLInsecureRenegotiation off
#SSLHonorCipherOrder On
#SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
#SSLProtocol ALL -SSLv2 -SSLv3
#SSLCipherSuite HIGH:!aNULL:!MD5
#SSLCipherSuite RC4-SHA:HIGH:!ADH:!AES256-SHA:!ECDHE-RSA-AES256-SHA384:!AES128-SHA:!DES-CBC3-SHA:!DES-CBC3-MD5:!IDEA-CBC-SHA:!RC4-MD5:!IDEA-CBC-MD5:!RC2-CBC-MD5:!MD5:!aNULL:!EDH:!AESGCM
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
 
Old 02-09-2013, 06:37 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,457
Blog Entries: 54

Rep: Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897
Any reason to define SSLCipherSuite twice again?
 
Old 02-09-2013, 10:19 AM   #6
fetal
LQ Newbie
 
Registered: Nov 2011
Distribution: Ubuntu 11.04
Posts: 25

Original Poster
Rep: Reputation: Disabled
Nope.

Just failed, yet again. Re-running.
 
Old 02-11-2013, 09:55 PM   #7
fetal
LQ Newbie
 
Registered: Nov 2011
Distribution: Ubuntu 11.04
Posts: 25

Original Poster
Rep: Reputation: Disabled
Failed again.

Anyone else have any other suggestions?
 
  


Reply

Tags
security, ssl


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
is PCI Compliance possible in a multi-node cloud setup? sneakyimp Linux - Security 2 10-11-2012 07:39 PM
vsftpd and PCI compliance saraza Linux - Networking 3 09-22-2012 01:39 PM
rhel 5.8 / apache 2.4.3 / openssl 0.9.8x / PCI Compliance / compile from source cwyble Red Hat 2 09-03-2012 12:09 PM
LXer: Instituting 'Defense in Depth' for PCI Compliance on a Linux Platform LXer Syndicated Linux News 0 04-24-2011 06:00 AM
apache 2.2.3 / RHEL 5 / PCI Compliance / openssl sowell Linux - Server 2 12-09-2009 09:26 AM


All times are GMT -5. The time now is 01:53 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration