Trustwave failing PCI compliance SSL/TLS Weak Encryption Algorithms on Port 443
Trustwave failing PCI compliance SSL/TLS Weak Encryption Algorithms on Port 443 even though SSLCipherSuite disables them.
I"ve search a number of posts on this topic but have been unable to find a solution to my problem.
I am currently failing PCI compliance on:
SSL/TLS Weak Encryption Algorithms:
Evidence:
TLSv1_2 : AECDH-DES-CBC3-SHA
TLSv1_2 : AECDH-AES128-SHA
TLSv1_2 : AECDH-AES256-SHA
And
Block cipher algorithms with block size of 64 bits (like DES and 3DES) birthday attack known as Sweet32:
Evidence:
TLSv1_2 : ECDHE-RSA-DES-CBC3-SHA
TLSv1_2 : AECDH-DES-CBC3-SHA
TLSv1_2 : DES-CBC3-SHA
Although I have my SSL Cipher Suite to disable these Algorithms:
SSL Cipher Suite [?]
HIGH:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!ECDHE-RSA-DES-CBC3-SHA:!AECDH-DES-CBC3-SHA:!DES-CBC3-SHA:!AECDH-AES256-SHA:!AECDH-AES128-SHA:!AECDH-DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!SSLv2:!SSLv3
SSL/TLS Protocols [?]
All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
Have I miss interpreted something? Help is appreciated and welcomed!
-
Hello @GregWilliamBryant, Can you go through the steps we document at the link below to rule out any duplicate/old entries in your Apache configuration as the cause of the issue? How to Troubleshoot PCI Compliance Scans - cPanel Knowledge Base - cPanel Documentation Thank you. 0 -
I had this come up on my PCI scans this month. The scanning company stated it was due to SHA-1 then rambled on about the Google sunset. After triple checking everything I couldnt find any issue so I asked them to manually check my SSL at ssllabs.com and they then logged it as a false positive and passed my scan. Worth a thought before you drive yourself mad running scans and not being able to resolve it! 0
Please sign in to leave a comment.
Comments
2 comments