Hello,
I'm running into an issue with PCI Compliance from Comodo
Running CentOS 6.
This is what I'm getting on the following ports.
587, 110, 25, 143, 443
Code:
Security Warning found on port/service "smtp (587/tcp)"
Status
Fail (This must be resolved for your device to be compliant).
Plugin
"SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability"
Category
"General "
Priority
"Medium Priority
Synopsis
It may be possible to obtain sensitive information from the remote
host with SSL/TLS-enabled services.
Description
A vulnerability exists in SSL 3.0 and TLS 1.0 that could allow
information disclosure if an attacker intercepts encrypted traffic
served from an affected system.
TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are
not affected.
This script tries to establish an SSL/TLS remote connection using an
affected SSL version and cipher suite, and then solicits return data.
If returned application data is not fragmented with an empty or
one-byte record, it is likely vulnerable.
OpenSSL uses empty fragments as a countermeasure unless the
'SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS' option is specified when OpenSSL
is initialized.
Microsoft implemented one-byte fragments as a countermeasure, and the
setting can be controlled via the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\S
CHANNEL\SendExtraRecord.
Therefore, if multiple applications use the same SSL/TLS
implementation, some may be vulnerable while others may not, depending
on whether or not a countermeasure has been enabled.
Note that this script detects the vulnerability in the SSLv3/TLSv1
protocol implemented in the server. It does not detect the BEAST
attack where it exploits the vulnerability at HTTPS client-side
(i.e., Internet browser). The detection at server-side does not
necessarily mean your server is vulnerable to the BEAST attack
because the attack exploits the vulnerability at client-side, and
both SSL/TLS clients and servers can independently employ the split
record countermeasure.
CVE-2011-3389
Now, all packages are fully updated. I've done some research and tried different configs but can't get anything to pass. sslabs checks out and I don't have beast.
Here is my config and what I've tried.
#PCI COMPLIANCE
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
SSLProtocol -ALL -SSLv3 +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite RC4-SHA:HIGH:!ADH
SSLInsecureRenegotiation off
#SSLHonorCipherOrder On
#SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
#SSLProtocol ALL -SSLv2 -SSLv3
#SSLCipherSuite HIGH:!aNULL:!MD5
#SSLCipherSuite RC4-SHA:HIGH:!ADH:!AES256-SHA:!ECDHE-RSA-AES256-SHA384:!AES128-SHA:!DES-CBC3-SHA:!DES-CBC3-MD5:!IDEA-CBC-SHA:!RC4-MD5:!IDEA-CBC-MD5:!RC2-CBC-MD5:!MD5:!aNULL:!EDH:!AESGCM
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
Thanks in advance!