[WEB SECURITY] SSL Server Options - Ciphers

Paul Johnston paj at pajhome.org.uk
Sun Jul 5 05:46:45 EDT 2009


> Now, in my internal testing with openssl s_client -ssl2 -connect host:443
>  and with IE and Firefox by forcing them to [X] Use SSLv2 only,   the
> testing seem to work.  No successful SSL negotiation and connection was
> made.

What I have seen with some devices (Cisco SCA) is that if the
protocol/cipher is disabled, an SSL connection is still made, but the
device then only returns a page that explains the cipher is disabled.
The PCI scan company at first reported this as failing - their tool
was just seeing the established connection, and not recognizing that
it's just an error page. When I challenged this, they agreed that this
arrangement is compliant with the spirit of PCI - a CC number will
never go over the weak cipher. They updated their tool and noted us as

Now, I'm not sure this is the same issue you've seen - you indicate no
SSL connection was made at all. But it's quite a similar issue, so may
be relevant.

Best wishes,


Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list