PCI compliance, need to disable SSL version 2
I'm running OS X 10.7.2 and I recently failed my PCI compliance scan. I was informed that I have SSLv2 and SSLv3 and that I need to disable SSLv2. The company that performs the scan says that they can't help me do it and that I should call my ISP, ATT Uverse. I've done this and spent several hours being bounced around and they don't seem to understand what I'm talking about or how to fix it. So...my questions is how can I disable SSLv2?? I'm not very "code" savy so if you could walk me throught the steps that would be very helpful. I really don't wnat to try tech support with ATT again! TIA
Launch the Terminal application by entering the first few letters of its name into a Spotlight search. Drag or copy -- do not type -- the following line into the window, then press return:
launchctl list | sed 1d | awk '!/0x|com\.apple/ {print $3}'
Post any lines of output that appear below what you entered -- the text, please, not a screenshot.
Similar Messages
-
Need to Disable SSL V3 - How can I disable it? Is it required?
The SSL protocol 3.0 design error, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attacks (POODLE) Additional information: (CVE-2014-3566)
An unauthorised user who can take a man-in-the-middle (MitM) position can exploit this vulnerability and gain access to encrypted communication between a client and server.
It is recommended to disable SSLv3 support to avoid this vulnerability.VCenter 5.5 upd 2e with SRM 5.5.1.5
Well the word has come down from the corporate security gods...it will be done. On Servers, Disable all Auth less than TLS1.1 now a combined PCI and HIPPA requirement. So I opened a ticket with VMWare to confirm a process.
As we move forward there's no doubt security requirements will rise, we have a tendency to be on the almost bleeding edge of the security knife.
What's sad is there seems to be no comprehensive guide from VMWare on critical security configuration practices at this level let alone the certificate discussion. There has to be something on the government side because the server hardening Guide\ excel spreadsheet doesn't cover current needs.
I went to TLS 1.0 on my VCenter and all looked good except it immediately broke the connections with my SRM server.
The following command can be used to confirm connection status from the bin directory of your openssl install
openssl.exe s_client -connect [VMHostFQDn]:443 -ssl3
openssl.exe s_client -connect [VMHostFQDn]:443 -tls1
Now after 3 sessions with support, SRM is SSLv3 dependent so looks like I'm getting a security exception
Regards, DGN -
Our organization is in the process of coming into PCI compliance. If you've had to do this, then you know that you need to disable SSL v2. We have three servers running IIS which are outward facing. All three are running Windows Serer 2008 R2. Two are general
Web servers, the third is also running Exchange Server 2010 with OWA. The two Web servers are compliant, and a portion of the SSLLABS.COM test shows:
Protocols
TLS 1.2
Yes
TLS 1.1
Yes
TLS 1.0
Yes
SSL 3
Yes
SSL 2
No
however, even though I ensure that the registry settings are the same on the Exchange server as on the Web servers, I get this as a result:
Protocols
TLS 1.2
No
TLS 1.1
No
TLS 1.0
Yes
SSL 3
Yes
SSL 2 INSECURE
Yes
Yes, every time I've made a change, I've run gpupdate /force then rebooted. The registry settings are not reverting; I look after the reboot and they're what I expect. The following is what is in HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:ffffffff
Any help is appreciated.
JakeI have used the Nartac tool, clicked the PCI button, and rebooted the server. This did not work. Also, per MS KB article 187498 "How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services" (http://support.microsoft.com/kb/187498/en-us)
the example given is for PCT 1.0 but is implied for any of the protocols I believe:
To disable the PCT 1.0 protocol so that IIS does not try to negotiate using the PCT 1.0 protocol, follow these steps:
Click Start, click Run, type regedt32 or type
regedit, and then click OK.
In Registry Editor, locate the following registry key:
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Server
On the Edit menu, click Add Value.
In the Data Type list, click DWORD.
In the Value Name box, type Enabled, and then click
OK.
Note If this value is present, double-click the value to edit its current value.
Type 00000000 in Binary Editor to set the value of the new key equal to "0".
Click OK. Restart the computer.
So to recap, set Enabled to 0 is not enabled, and set Enable to 1 is enabled. Or am I reading this completely wrong? -
Hi all,
i know that SSL version3 by default is enabled on the CSS.
is there anyway to disable SSL version 2 ?
Please Advice
HasanAre you referring to the ssl module ?
Here is what we support on the module :
CSS11503-2(config-ssl-proxy-list[gdufour])# ssl-server 1 version ?
ssl-tls SSL v3 & TLS v1
tls TLS Version 1
ssl SSL Version 3
No ssl version 2.
Gilles. -
Disable SSL v2 and weak cipers on a RV325 for PCI compliance
How do you disable SSL v2 and weak cipers on a RV325 to become PCI compliant?
Hello
per Cisco RVS4000 product site information this router is already end of life since January 30, 2010. Last date of support is also already missed - April 30, 2013. This means that according Cisco policy no further updates to existing firmware will be done - neither security-related fixes. And I am afraid that this is fact with which you have to deal.
regarding RV320 - it seems that there is no any possibility to restrict SSL/TLS protocol/version by your own in current version. Francis - I would recommend you to open service request to Cisco SMB Support if you still have valid support contract. I hope there is good chance to get it fixed as this security related inability.
lastly - for all products (including RVS4000) - I would suggest to keep management interface of router separated most as possible - i.e. restrict access to management interface only to single subnet/host(s) only (via Firewall feature). With having administration/management subnet and certain client(s) which is a part of this subnet can help to avoid eavesdropping your connection to router. Of course disabling remote management is the best thing you can do in any case (including avoid of possible firmware bugs, loggin attempts and so on). -
RV016 - SSL too weak Vulnerabilities on network due PCI Compliance
DISABLE REMOTE MANAGEMENT AND HTTPS.................
RV016 - SSL too weak Vulnerabilities on net: work due PCI COMPLIANCE
DISABLE REMOTE MANAGEMENT AND HTTPS.............. -
Failing PCI Compliance Scan - SSL Weak...
Hello,
I currently use the WRVS4400n v2 (latest update) for my small business. I store and transmit data that contains credit card information and need to be PCI compliant. Regardless of which settings I change on the router, like turning off remote management, I keep failing the scan. ControlScan uses Nessus and the results are below (2 vulnerabilities).
I did some research and spent some time with Cisco Sales Chat and they recommended a ASA5500 only to realize that it too had the same vulnerabilities. I did more research and it seemed that the SA520w (I need wireless) would do it but I found a thread on this forum saying that a client who had the SA520w did not pass the scan failed due to SSL vulerability (need v3+ ?). The thread is at https://supportforums.cisco.com/thread./2060512
Question: What router/appliance should I use to be PCI compliant? Three has to be something, we're talking, this is Cisco.
Thank you in advance for your help,
Christophe
Threat ID: 126928
Details:
IP Address: XX.XXX.X.XXX
Host: XX.XXX.X.XXX
Path:
THREAT REFERENCE
Summary:
SSL Weak Cipher Suites Supported
Risk: High (3)
Type: Nessus
Port: 60443
Protocol: TCP
Threat ID: 126928
Information From Target:
Here is the list of weak SSL ciphers supported by the remote server :
Low Strength Ciphers (< 56-bit key)
SSLv2
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
The fields above are :
{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
Solution:
Reconfigure the affected application if possible to avoid use of weak
ciphers.Details:
The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all.
Threat ID: 142873
Details:
IP Address: XX.XXX.X.XXX
Host: XX.XXX.X.XXX
Path:
THREAT REFERENCE
Summary:
SSL Medium Strength Cipher Suites Supported
Risk: High (3)
Type: Nessus
Port: 60443
Protocol: TCP
Threat ID: 142873
Information From Target:
Here are the medium strength SSL ciphers supported by the remote server :
Medium Strength Ciphers (>= 56-bit and < 112-bit key)
SSLv2
DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5
SSLv3
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
TLSv1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
The fields above are :
{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
Solution:
Reconfigure the affected application if possible to avoid use of
medium strength ciphers.Details:
The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits.Chris,
As i understand right now none of the Small Business router are PCI compliance ever since PCI 3.0 was released. How you overcome this; you'll need to forward any ports you are failing on to a ghost IP.. Ghost ip (any ip address that isn 't being used) If you are using those ports , then you will lose that service as the router isn't PCI 3.0 compliant.
Jason
I do believe the ASA5505 are PCI 3.0 Compliant. -
My Retina scans are showing a week vulnerabilty for: EXP-RC4-MD5 assosicated with beasvc.exe on port 5556
I need to disable SSL_RSA_WITH_RC4_40_MD5
How do I disable this ?? Do I need to do something in the config.xml file?Kindly refer this
http://weblogic-wonders.com/weblogic/2009/12/04/how-to-restrict-key-size-larger-that-128-bit-on-weblogic-server/ -
Hi All,
I am looking to achieve PCI compliance for my networking infrastructure, which includes CCX, currently runnng version 4.1 with IVR being used for credit card authentication. Not really sure where to start on this, so if anybody has any pointers on how the requirements for PCI compliance translates to what we actually need to do to the server, that would be much appreciated.
RgdsI just had a conversation with Trustwave and they are going to disable this check while they figure out a detection without this false positive, so your scans should be fine now. Thank you Trustwave for such a quick response and turn around!
-
How to disable SSL v3 for sun os 5.6 (OAS 4.0.8), I am facing POODLE vulnerability issue?
my Website is hosted on Sun OS 5.06 (OAS 4.0.8) and using web server : Oracle_Web_Listener/4.0.8. Website is configured to use https for secure pages and it was working fine from last 10 years but suddenly i am getting complaints from my customers that they can not browse site on chrome version 40 and above and firefox 34 and above.
I searched for this issue and found that there is POODLE attack which may causing this issue. now the only solution i can see is to disable SSL v3 on server.
Can any help me out with the process or an idea, How to disable SSL V3 on this Olde server? its sun microsystem server.Hi Aamir,
This is old software, been a while since I saw one of these.
Normally when SSL was setup there were two listeners, one with SSL and one without, in a different port, so you could try to find this second port, which may work without any need to change the configuration.
Else, try to check on the OAS manager (Usually on port 8888), the HTTP listener -> WWW -> Network, if there is a setup only for the SSL port, you will need to add a new line, with the same configuration, but a different port and the security disabled.
Also, there may be some setting on the application itself for the url path. If so, when you navigate in the application it will try to redirect you back to the SSL port. In that case you will need to figure out where to change that, which depend on the application itself.
Found this page on google with the process to setup SSL on OAS 4.0, you need to do the inverse of step 5.
WoSign Support: SSL Certificates Installation Instruction - Oracle Web Server (OAS 4.0.8)
Regards,
Luis -
Patching vulnerabilities for PCI compliance
Hi
My Apple Profile Manager server has failed a PCI compliance scan, due to the vulnerabilities listed below. The OS and the software are patched to the highest level, but its still failing
What do i need to do to be able to resolve these? If i can't patch them by Thursday, i'll have to shut down the server
SSL/TLS use of weak RC4 cipher CVE-2013-2566
OpenSSL Multiple Vulnerabilities (OpenSSL Security Advisory 20140806) CVE-2014-3512
CVE-2014-3511
CVE-2014-3510
CVE-2014-3507
CVE-2014-3508:
CVE-2014-5139:
CVE-2014-3509:
CVE-2014-3505:
CVE-2014-3506
Apache Partial HTTP Request Denial of Service Vulnerability - Zero Day CVE-2007-6750If your running OS X 10.9.2 as your message indicates then you are not patched to the highest level. (By a long way.)
OS X 10.9.5 plus Security Update 2014-005 would give you all the current patches for Mavericks. If you upgraded to Yosemite and Server.app 4.0 you would get some further updates. (Server 4.0 would have to be purchased although Yosemite aka. OS X 10.10 itself is free.)
Even with all of those I suspect some of the issues you list will not be patched. In theory you could manually compile and install patches but this is generally a very bad idea as you will then break compatibility with Apple's own software such as the server configuration tool Server.app and likely break Profile Manager completely and if you use it the Wiki module.
If you want complete control over patching the software then OS X is not going to let you do this with out as mentioned above severe consequences. Only Linux gives you that level of control. Arguably Windows gives you even less control than OS X as in Windows it is all closed source (Microsoft) software. -
Hi,
I'm creating a privacy policy for my MUSE website, can you help answer these questions. I have free basic site with my membership:
1) Is your website getting regular security scans that meet or exceed PCI Compliance standards?
2) Is your website receiving regular malware scans?
3) Does your website have and use an SSL certificate?
If any are no, can you tell me what it takes to upgrade to a yes?
Thanks,
AnitaI just had a conversation with Trustwave and they are going to disable this check while they figure out a detection without this false positive, so your scans should be fine now. Thank you Trustwave for such a quick response and turn around!
-
PCI Compliance Azure Websites (CVE-2014-6321)
Trying to gain PCI compliance of an azure website. Trustwave scan came back as a pass apart from the following:-
Vulnerability in Security Channel Could Allow Remote Code Execution (MS14-066)/CVE-2014-6321
Anything I can do? It's post 443 - we have a EV SSL certificate in IP Based SSL.I just had a conversation with Trustwave and they are going to disable this check while they figure out a detection without this false positive, so your scans should be fine now. Thank you Trustwave for such a quick response and turn around!
-
What license do I need for 25 SSL VPN Peers
Hi all,
I want to implement Active/Standby cluster with a pair of 5550 ASAs and I have a licensing question. Here is the "sh activation-key detail" output from both devices...
ASA1:
sh activation-key detail:
Serial Number: XXXXX
No active temporary key.
Running Activation Key: XXXXX XXXXX XXXXX XXXXX XXXXX
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 250
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 5000
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5550 VPN Premium license.
The flash activation key is the SAME as the running key.
ASA2:
sh activation-key detail:
Serial Number: XXXXX
No active temporary key.
Running Activation Key: XXXXX XXXXX XXXXX XXXXX XXXXX
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 250
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 25
Total VPN Peers : 5000
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5550 VPN Premium license.
The flash activation key is the SAME as the running key.
So it looks obvious that I'll have to upgrade the first ASA to support 25 SSL VPN Peers in order to build HA cluster, right?
Now I want to know do I need the "ASA5505-SSL25-K9" license or something else.
Thanks much in advance for any help!Hi all,
as I said I tried to upgrade the ASA1 to version 8.3, but unfortunately the limit of 2 SSL VPN Peers remained.
It seems so that I’ll have to buy that license, although I don’t need that functionality. If someone has some more hints left, I’d be grateful to hear them.
Here is the output from “sh activation-key detail” and below the output from “sh ver”:
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 250 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
SSL VPN Peers : 2 perpetual
Total VPN Peers : 5000 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
AnyConnect Essentials : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5550 VPN Premium license.
Licensed permanent key features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 250 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
SSL VPN Peers : 2 perpetual
Total VPN Peers : 5000 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
AnyConnect Essentials : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
The flash permanent activation key is the SAME as the running permanent key.
Cisco Adaptive Security Appliance Software Version 8.3(2)
Device Manager Version 6.4(7)
Compiled on Fri 30-Jul-10 17:49 by builders
System image file is "disk0:/asa832-k8.bin"
Config file at boot was "startup-config"
xxxxx up 12 mins 33 secs
Hardware: ASA5550, 4096 MB RAM, CPU Pentium 4 3000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Thanks,
Simo -
Need to disable the clearing of browsing history and what is the "about:config" function for it?
I am working on an Group Policy Administrative template for Wetdog.exe, and it's awesome by the way. Just want to know what function to use (listed in "about:config" url) so i can turn this feature off entirely.
I don't want my users deleting browsing history, or have any ability to view it either.
Still, i want the browser to keep at least 30 days of history.
This is EASILY accomplished in Internet Explorer via GPO, but not so much in Mozilla with wetdog.exe and it's admin templates. I am using Windows Server 2003 enterprise edition R2 on 2 domain controllers, and Windows XP Professional SP3 client workstations with Mozilla 3.6.3 and the latest version of Wetdog.exe and it's admin templates.
Any help would be much appreciated!!!
== This happened ==
Every time Firefox opened
== My boss decided that we need to keep browsing history locked out of our existing 700+ workstations ==
== Troubleshooting information ==
just need to disable the "history" button, the "tools\clear recent history" button, and "tools\options\privacy tab\history"It can be annoying, but I think their motivation is good. They are trying to make things better for their customers and I think they have, even though sometimes it is annoying. I think it would be nice if they would advise us when the pages are going to be down for maintenance, In the mean time, you could have another E mail account so you can always get access to your E mail.
Maybe you are looking for
-
HT6114 mac os 10.9.2 update conflict with adobe camera raw ?
All of a sudden Adobe camera raw won't convert either raw Canon or Leica files. Keep getting the error code to re-install CS6, but that does not solve it.
-
FTTC Confirmed on my Cab and Neighbour can get it ...
Hello all, I have seen others with a similar problem to mine. I live in a 2007 developed block of flats in Cheltenham. My Neighbour who is 50 yards away can get the BT Faster Total Broadband at 9-15MBs and yet I cannot. We are both linked to the sa
-
Is there a way to contact a specific person on here?
Is there a way to contact a specific person on here? I am having unbelievable problems & one person is trying to help me. One way is to refer me to another's post/site. Is there any way that I can directly contact that person to get the "straight" of
-
Hi All, I have created a APD process. Source : Query Trans : Hide columns and Routine Target : Application server. In my query level I have varaible on Company code.For this variable I have created a separate variants for each compnay codes.In APD In
-
How to Restrict/Disable back button in browser
Hi guys, I am writing a enterprise web application using ADF. I am using JDeveloper 11.1.2.0.0. I want to restrict/ disable browser back/forward buttons in all my .jspx and .jsf pages. It was discussed in following thread as well. how to Restrict/Dis