[WEB SECURITY] SSL Server Options - Ciphers
hector
gmail.sant9442 at winserver.com
Sun Jul 5 06:38:05 EDT 2009
Paul Johnston wrote:
> Hi,
>
>> Now, in my internal testing with openssl s_client -ssl2 -connect host:443
>> and with IE and Firefox by forcing them to [X] Use SSLv2 only, the
>> testing seem to work. No successful SSL negotiation and connection was
>> made.
>
> What I have seen with some devices (Cisco SCA) is that if the
> protocol/cipher is disabled, an SSL connection is still made, but the
> device then only returns a page that explains the cipher is disabled.
> The PCI scan company at first reported this as failing - their tool
> was just seeing the established connection, and not recognizing that
> it's just an error page. When I challenged this, they agreed that this
> arrangement is compliant with the spirit of PCI - a CC number will
> never go over the weak cipher. They updated their tool and noted us as
> compliant.
>
> Now, I'm not sure this is the same issue you've seen - you indicate no
> SSL connection was made at all. But it's quite a similar issue, so may
> be relevant.
Hi Paul,
What I now know is that if I use SSLv3 at the protocol level, this was
the setting I was using and seeing a no connection with IE and FireFox
going into an infinite busy state. I wondered if that was normal or not.
When SSLv2/SSLv3 is used, along with the proper cipher to remove SSLv2
and low bit lengths, then FF and IE both show a fast negative
response. Openssl s_client shows a connect, one block write and no
more handshaking.
I guess it make sense for the server protocol to be open to
SSLv2/SSLv3 and then let the C/S cipher negotiate the SSLv3 only
handshake.
Thanks
--
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
More information about the websecurity
mailing list