PCI DSS Compliance Part 2 - Weak SSL And Ciphers

The next stop on our PCI DSS Compliance tour is disabling weak SSL versions and encryption ciphers. If your site is handling credit card payments, it is undoubtedly using HTTPS for at least the pages that collect payment information. I thought I had already taken care of this item, but I was apparently mistaken. Fortunately, this is pretty easy to fix and if you're on Windows I've even cooked up a quick and easy registry file for you to use.

The problem

The SSL protocol is on its third version and connections using it have a variety of encryption algorithms they can use to scramble the information being sent. Web servers like IIS and Apache support pretty much all versions of SSL and any encryption method for guaranteed compatibility with any client. The problem is that older versions of SSL have proven to have security holes and early encryption methods can be decrypted fairly easily these days. The good news is that any vaguely modern browser (IE 5.5 and FF 0.8) supports SSL v3 and strong ciphers. Since the old standards aren't a requirement anymore, the solution is simply to disable them.

Am I affected?

One of the easiest ways to check your server is to use Pete Freitag's www.hackmycf.com. This site will scan your server for a number of known vulnerabilities including weak SSL versions and ciphers and send you an E-mail. Alternatively, http://www.serversniff.net/sslcheck.php is a site that will scan your server and give you detailed info about its SSL capabilities. For any uber-geeks out there. you can manually check your server with a utility called openssl. http://www.madboa.com/geek/openssl/

How to fix it

If you are using Apache 2, you can use the following config: mod_ssl: add the following into httpd.conf or ssl.conf

[code]SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
[/code]

apache_ssl: add the following into httpsd.conf

[code]SSLRequireCipher ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
[/code]

If you are using IIS, you will need to modify the Windows registry. Save the following code into a text file with a .reg extension, and run it to import it into the system registry of you server. You should probably restart too.

[code]REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]

"Enabled"=dword:0000000
[/code]

And now for the standard disclaimer: Be careful editing your registry. What I wrote above is probably total crap and will most likely crash your server. Use it at your own risk. :) Tune in next time for PCI DSS Compliance Part 3 - IIS Internal IP Address Disclosure