
For many merchants, the quarterly ASV scan brings back a range of findings relating to weak SSL ciphers and/or implementation of SSLv2 that results in a failing score.
Often this can be a time consuming task to track down the offending systems, identify the changes necessary for that platform and then implement them.
The process itself is not terribly difficult, but it can be time consuming to identify the correct commands necessary to disable the weak ciphers.
In order to make this process a little less painful, the following is a condensed version of fixes for this issue across a range of common web platforms:
F5 BIG-IP
Configuration changes to SSL cipher support are best made via the BIG-IP console.
- Log into the BIG-IP system command line
- Run the following command:
bigpipe profile clientssl <your_ssl_profile_name> { ciphers 'DEFAULT:!ADH:!EXPORT40:!EXP:!LOW' }
- Save the changes:
bigpipe save
Cisco Application Control Engine
In order to define specific SSL cipher support, you will need to establish a dedicated parameter map
- Log into the console as a privileged user.
- Change to config mode.
- Define a new parameter map
parameter-map type ssl <your_map_name>
- The device will now change to 'config-parammap-ssl' mode
- Define the following cipher suites:
cipher RSA_WITH_3DES_EDE_CBC_SHA
cipher RSA_WITH_AES_128_CBC_SHA
cipher RSA_WITH_AES_256_CBC_SHA
- Exit out of config mode
- Write the changes to device memory
Brocade (formerly Foundry) ServerIron
- Firstly, you will need to disable/remove the SSL profile on the affected virtual servers.
- Then, add the following settings to the SSL profile:
disable-ssl-v2
no cipher-suite all-cipher-suites
cipher-suite rsa-with-3des-ede-cbc-sha
cipher-suite rsa-with-aes-128-sha
cipher-suite rsa-with-aes-256-sha
cipher-suite rsa-with-rc4-128-md5
cipher-suite rsa-with-rc4-128-sha
- Once that is done, simply reactive your SSL profile.
Apache v2
- Open the ssl.conf file using your preferred editor
- Set the following directives in your ssl.conf file
SSLProtocol -all +SSLv3 +TLSv1
SSLCipherSuite HIGH:!ADH
- Save the changes and exit ssl.conf
- Restart your Apache service.
Microsoft IIS (Version 6 and below)
- Open regedit
- Navigate to the following hive:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers
- Within the hive you will see a number cipher suites available.
- For each of the following cipher suites, add a new DWORD value called "Enabled" with a value of '0':
DES 56/56
NULL
RC2 40/128
RC2 56/128
RC4 40/128
RC4 56/128
RC4 64/128
- Restart the IIS service.
Microsoft IIS 7
- Open regedit
- Navigate to the following hive:
HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\
- Add a new key called "Server"
- For the "Server" key add DWORD 32bit value of "DisabledByDefault" with a hexadecimal value of 1
- Restart the IIS service
WebSEAL
Similar to Apache, WebSEAL uses a single file (webseald.conf) for key configuration items, located at /opt/pdweb/etc/ . Disabling SSLv2 and weak cipher support is quite straightforward.
- Open the webseald.conf file in your favourite editor.
- Identify the following configuration lines:
disable-ssl-v2 = no
disable-ssl-v3 = no
disable-tls-v1 = no
- Set the disable-ssl-v2 property to ‘yes’
- Now locate the ssl-qop-mgmt directive
- Set the property to ‘yes’
- Locate the ssl-qop-mgmt-default directive
- Remove the default = ALL directive and add the following:
default = DES-168
default = RC2-128
default = RC4-128
default = AES-128
default = AES-256
- Save the changes and restart the webseald service
Lotus Domino
SSL ciphers can be modified either via the Domino Administrator tool, or via the notes.ini file. For the purposes of this article, we will be using the Administrator tool.
- Click Configuration and open the Server document in the Domino Directory.
- Select Ports à Internet Ports à Web
- Select ‘Modify’ in the SSL Ciphers field.
- Ensure that only the following ciphers are enabled:
RC4 encryption with 128-bit key and MD5 MAC
RC4 encryption with 128-bit key and SHA-1 MAC
Triple DES encryption with 168-bit key and SHA-1 MAC
AES encryption with 128-bit key and SHA-1 MAC (Domino 8+ only)
AES encryption with 256-bit key and SHA-1 MAC (Domino 8+ only)
· You should also ensure that ‘Enable SSL v2’ is set to No