[WEB SECURITY] SSL Server Options - Ciphers
sant9442 at gmail.com
Sun Jul 5 00:39:25 EDT 2009
For our web server, with a reported customer PCI compliance requirement
need along with increasing support questions regarding SSLv3 support
only, the issues has made us relook at the web server SSL options.
My questions is to do with better understood the various SSL (openssl)
options to best present them to provide customers the new "best"
security setting out of the box.
Currently, we provide two GUI options:
Cipher: ALL:!ADH:RC4+RSA:+SSLv3:@STRENGTH (default)
Verify Level: None (default)
Fail if No Peer Certificate
Although not in the GUI, the operator can manually set the SSL Protocol
(version) option in the config file:
SSLProtocol = 0 to 3
where the values are:
# define SRV_SSL_V23 0 (default)
# define SRV_SSL_V2 1
# define SRV_SSL_V3 2
# define SRV_SSL_TLS1 3
So in this case, for the customer who needs PCI compliant, we suggested
Now, in my internal testing with openssl s_client -ssl2 -connect
host:443 and with IE and Firefox by forcing them to [X] Use SSLv2
only, the testing seem to work. No successful SSL negotiation and
connection was made.
However, in the last report received on Friday from the customer, he
indicated the PCI auditor rescan failed with the new server settings.
So I have been trying to make sense of the ciphers and researching how
others have addressed this.
I guess the issue is the cipher is not correct. It needs to reduce the
ciphers? Correct? I am going to have him try other statements. Does
anyone have a suggestion for this cipher openssl statement for PCI
The next question is about making it easier for customers by having them
select the SSL Protocol level which will by default be associated to a
predefine set of ciphers while still allow them to alter it from a
default cipher set if required.
Does that make sense from a security standpoint? Should I even allow
SSLv2 and/or TLSv1?
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
More information about the websecurity