Unlimted Strength Encryption?
I am aware that with j2sdk v1.4 beta3 that the jce is packaged with Strong encryption, dictated buy the jurisdiction policy files, local_policy.jar and us_export_policy.jar and that these can be replaced with files that allow 'unlimited' strength encryption!
But what about jce1.2.1. I am unable to find any reference to files that do the same for the optional package for java 1.3 users. Does the package come with Unlimited Strength as standard. I doubt this is the case?
Any answers will be greatly appreciated!
Regards,
Thee olde wizard
From the JCE 1.2.2 FAQ:
Since the US government has relaxed export restrictions on
cryptographic strengths, the JCE 1.2.2 software from Sun Microsystems
now has a single distribution for both domestic and global users. The
bundled jurisdiction policy files contain no restrictions on
cryptographic strengths. I believe the same was true of 1.2.1
Similar Messages
-
How to Update Encryption in WebLogic 7
I am currently working on a web application and our payment provider has stopped supporting low strength encryption. This has caused the webapp to fail each time we try to send a secure transaction thru to the Payment Provider.
Does anyone know the best way to update our encryption strength within WebLogic to minimally a medium-strength encryption?
Our current encryption is 'exportable' and as mentioned does not meet their new standards. We are running WebLogic 7 with Java 1.3.1.
Thanks in advanceuse your console to create a web-app from the directory with the web-inf and your jsp. Hit deploy and it should work.
War files are not necesary, for fast jsp development its even better to not use wars. -
How can I find out if an installation of Unified Development Server is 128 or 40 bit encryption
I have UDS installed, I would like to know whether its 128 or 40 bit encryption
UDS 3.5 and above include cryptography support. This comes as direct access to cryptography primitives as well as indirect access when using the builtin SSLExternalConnection class that supports SSL 3.0. The early versions shipped two different cryptography strengths are required by export controls. The latest versions of UDS are now allowed to ship the higher strength encryption to all customers. My previous post gave a way to determine which cryptography support was installed in your installation.
-
Encryption For Backups ?
Hi,
I want to make a back-up to a DVD and have the disc 'off-site', i.e. at a friend's house. Is there a way to encrypt the data, so that no one can read them? Military-strength encryption isn't needed; just enough to keep curious eyes away.
Thanks.4.7 GB is too large for a single layer DVD. 4.38 GB
is the maximum that will fit. Once you have burned
the DVDs (you may want to make more than one, if the
data is valuable, and store in separate locations),
you can delete the disk image file. Don't forget the
password for the encrypted file. Mount one of the
DVDs, and make sure the password works, and the files
are readable.
Right, well the DVD is readable in my Mac, even with the image deleted from $HOME. However, when I put the DVD into a machine at work today (Windows), it didn't even see the disk.
D.C. -
Applying Strong Encryption after portal install
How do you apply strong encyryption after the portal install? I am sure I have seen in an installation guilde.
I am using IBM AIX. I downloaded the two encryption file sets:
SAP Cryptographic Library IBM AIX for RS6000/Power
SAP JAVA CryptoToolkit (J2EE Engine as of Release 6.30)
I am using EP6 SP11.
The CryptoToolkit contains a SDA file that I use SDM to install but I do not know what to do with the file in the Cryptographic Library.
Can anyone help?
Thanks
PatrickHi Patrick,
the "SAP Cryptographic Library" is the crypto code for ABAP servers. The "SAP Java Cryptographic Toolkit" is the one you need for SAP J2EE Engine (WebAS Java).
To be able to use any Java crypto toolkit ("JCE provider") without restrictions regarding key size etc., you need to replace the default "JCE policy files" shipped with the JDK by the "JCE policy files for unlimited strength encryption" from your JDK provider.
As you can see in SAP note 796540, for IBM JDK, you can download the files (after registration) from https://www6.software.ibm.com/dl/jcesdk/jcesdk-p
Best regards
Heiko -
SSL Medium Strength Cipher Suites Supported vulnerability
Kind of an odd thing. We just had a vulnerability scan and a 2960 got pinged for supporting medium strength SSL cipher suites. I say strange cause I have 3 others that have the same IOS image and they didn't get pinged. Swap out the management IP address and they are all the same. They are all running 12.2(52)SE C2960-LANBASEK9-M, with a 768 bit keys. Here is the text of the vulnerability :
Synopsis : The remote service supports the use of medium strength SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits.
Reconfigure the affected application if possible to avoid use of medium strength ciphers. / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Here are the medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
Can someone point me in the right direction on how to re-configure the switch to pass this test?
Thanks
PoirotI believe the alert there is because you are using a 768 key which was broken recently (Jan 2010 a paper was published on it with results from efforts that took 4 years to break 768 keys). 768bit RSA keys is not considered secure enough any more.
I would suggest you to configure keys of 1024 on these switches and try again.
I hope it helps.
PK -
Portal Runtime Error while performing User Mapping to SAP SRM
Please find below the error I received while User Mapping from Enterprise Portal to SAP SRM :
Portal Runtime Error
An exception occurred while processing a request for :
iView : pcd:portal_content/administrator/super_admin/super_admin_role/com.sap.portal.user_administration/com.sap.portal.user_mapping/com.sap.portal.userMappingAdmin/com.sap.portal.userMappingAdmin
Component Name : com.sap.portal.usermanagement.admin.UserMappingAdmin
User Mapping not fully available..
Exception id: 04:21_23/06/05_0073_8097650
See the details for the exception ID in the log fileHi,
yes, Karsten is correct. Just some background:
"User Mapping not fully available.." finally means that user mapping is configured to use strong encryption, but the main crypto key for user mapping is missing. Usually, that's because "SAP Java Cryptographic Toolkit" and/or "JCE policy files for unlimited strength encryption" are not installed (or the server hasn't be restarted afterwards). The note will most likely help
Best regards
Heiko -
Input and output varaiables are not shown
Hi,
I am using BICS connectivity to connect to a BeX query from Xcelsius. I am able to logon to SAP use datamanager conn and also able to select a query. But after that the query input and output variables are not shown. Instead all those fields are greyed out. I am not sure whether am missing any configuration. Please let me know if anyone have workaround for this issue.
Thanks,
Sivakami - SEMC SAP teamThat is interesting. The first (AES) is producing a 128-bit key, the second (aes) is producing a 256-bit key.
Producing a 256-bit key should not be possibe without the JCE/JCA Unlimted strength policy files installed, I have those files, installed, do you?
If someone who doesn;t have ththe policy files installed tried it, what do they get?
I would suspect that the case-sensitive nature of the underlying JVM is causing it to choose a different Crypto Provider when you use aes than when you use AES. The JVM that ColdFusion ships with (and the standard JVM) have severa crypto providers to choose from, plus ColdFusion Enterprise and Developer addition also include the BSafe Crypto-J provider), I think there are 10-11 total.
I would log a bug for this.
FYI, you can control this by using the optional keylength argument in generateSecretKey()
These two statements will produde keys with the same length.
#arrayLen(binarydecode(generateSecretKey("AES", 128),"base64") )#
#arrayLen(binarydecode(generateSecretKey("aes", 128),"base64") )# -
Can using BouncyCastle be an alternative to installing the policy files?
Hey, sorry if this is a dumb question but I have been looking into this all day.
I want to write a program that incorporates unlimited strength encryption, but installing the JCE Unlimited Strength Jurisdiction Policy Files is not an option (I can do it on one of the development machines, but I don't have write access to JAVAHOME on the other, and I can't expect every user of the program to install these files).
Now I know that if I specify BouncyCastle as a provider when using JCE, I still have to install the above files... but what if I don't use JCE and I use the algorithms provided (handily without any form of documentation whatsoever) by BouncyCastle - can this be a workaround? I've heard conflicting views on this.
If this isn't the case, can anyone please point me in the right direction of what I could do instead? Ie. if there was some way to include these files in the classpath rather than actually install them.
Also, if using BC is a solution to problem, I would really appreciate it if anyone has such an example of AES-256 encryption and decryption with CBC and padding that they could point me in the direction of, I am having a real issue figuring out the BC API.
Thank-you so much if you can help me.As long as you use the BouncyCastle lightweight crypto API rather than the JCE you should not encounter any of the JCE's restrictions. This means you cannot use Cipher.getInstance("Whatever/ABCCBC/TooMuchPadding", "BC"). Just include the lightweight api jar in your class path; the source is here: http://www.bouncycastle.org/download/lcrypto-jdk1<whatever>-139.zip
I haven't played with bouncycastle in awhile, but I think something like this will get you started:
BlockCipher aes = new AESEngine();
CBCBlockCipher aes_cbc = new CBCBlockCipher(aes);
byte [] key = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16}; // 16 bytes for AES-128
CipherParameters params = new KeyParameter(key);
aes_cbc.init(true, params);
//... -
What channels come with the DTA HD boxes
...and no one at COMCAST can tell you what channels come with the DTA HD boxes. All they do is send you a link to sign in...typical COMCAST
pablomunich wrote:
...and no one at COMCAST can tell you what channels come with the DTA HD boxes. All they do is send you a link to sign in...typical COMCAST
Apologies for any confusion we may have caused.
Currently, the DTAs (small boxes) are limited to viewing (up to and including) Digital Starter content.
Our DTAs don't yet support full strength encryption like full cable boxes do. Full-strength encryption is currently required for authorizing premium channels (like HBO) on a DTA.
DTAs that we have deployed support "privacy mode". This is a limited fixed passkey form of content protection.
We have no current plans to activate full-strength encryption, but if we were to do that in the future it would be done in a way that would be in compliance with FCC rules, including obtaining any necessary FCC waivers.
Some additional background at the link below (the article is from 2012 but still a good primer):
http://www.lightreading.com/spit-(service-provider-it)/security-platforms/comcasts-dtas-security-optional/d/d-id/660833
We can certainly arrange to swap your DTA for a full cable box. Please give us a call at 1-800-COMCAST or stop by one of the the local service centers below to swap your box.
73 Rock Ave
Plainfield, NJ 07063
MONDAY-SATURDAY: 9:30am-6:30pm SUNDAY: closed
800 Rahway Ave
Union, NJ 07083
MONDAY-SATURDAY: 9:30am-6:30pm SUNDAY: closed
381 Lord St
Avenel, NJ 07001
MONDAY-SATURDAY: 9:30am-6:30pm SUNDAY: closed
Additional information here: http://customer.comcast.com/help-and-support/cable-tv/digital-adapter-enhancement
Attached lineup for your area should also help, also sent this to you via e-mail. Digital Starter includes Limited Basic plus Expanded Service in your area -
SOAP message security fault:FailedCheck error
Hi,
I have a client application that adds a signature to the SOAP request. (Most of
the code has been taken from "Writing the Java Code to Invoke a Secure Non-WebLogic
Web Service" at http://e-docs.bea.com/wls/docs81/webserv/security.html)
Enabling the jvmarg verbose flag in build.xml indicates that the request going
out has a wsse:Security element with a signature, binary and username token.
The response from the server is as follows :
[java] <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:soapenc="http://sche
mas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><en
v:Header/><env:Body><env:Fault xmlns:fault="http://schemas.xmlsoap.org/ws/2002/0
7/secext"><faultcode>fault:FailedCheck</faultcode><faultstring>failed security
c
heck for message body</faultstring></env:Fault></env:Body></env:Envelope>
After which i get a javax.xml.rpc.soap.SOAPFaultException: failed security check
for message body.
I believe that i maybe getting this error because the server is unable to verify
the signature for some reason. Am i missing something here?
Also please let me know if you need more information to diagnose the problem.
thanks,
Nadeem.The root cause being:
[java] [weblogic.xml.security.encryption.EncryptionException: http://www.w3
org/2001/04/xmlenc#tripledes-cbc can only be used with a domestic license]].>
I believe the security frameworks checks the WebLogic license file
(license.bea) to determine whether to use domestic or international
strength encryption.
Nadeem Ilkal wrote:
Hi Bruce,
I tried the example you pointed out and i am getting the following exception.
The signature and encryption verbose flags are enabled by default in build.xml.
run:
[java] <Jun 2, 2003 11:19:22 AM PDT> <Info> <webservice> <BEA-220024> <Hand
ler weblogic.webservice.core.handler.WSSEClientHandler threw an exception from
i
ts handleRequest method. The exception was:
[java] weblogic.xml.security.SecurityConfigurationException: Failed adding
encryption to request - with nested exception:
[java] [weblogic.xml.security.SecurityProcessingException: Problem adding
e
ncrypted key - with nested exception:
[java] [weblogic.xml.security.encryption.EncryptionException: http://www.w3
org/2001/04/xmlenc#tripledes-cbc can only be used with a domestic license]].>
[java] java.rmi.RemoteException: SOAP Fault:javax.xml.rpc.soap.SOAPFaultExc
eption: Failed adding encryption to request; nested exception is:
[java] javax.xml.rpc.soap.SOAPFaultException: Failed adding encryption
to request
[java] at sign.SecurityPort_Stub.echo(SecurityPort_Stub.java:30)
[java] at sign.SecureClient.main(SecureClient.java:63)
[java] Caused by: javax.xml.rpc.soap.SOAPFaultException: Failed adding encr
yption to request
[java] at weblogic.webservice.core.ClientDispatcher.receive(ClientDispa
tcher.java:270)
[java] at weblogic.webservice.core.ClientDispatcher.dispatch(ClientDisp
atcher.java:131)
[java] at weblogic.webservice.core.DefaultOperation.invoke(DefaultOpera
tion.java:430)
[java] at weblogic.webservice.core.DefaultOperation.invoke(DefaultOpera
tion.java:416)
[java] at weblogic.webservice.core.rpc.StubImpl._invoke(StubImpl.java:2
75)
[java] at weblogic.webservice.core.rpc.StubImpl._invoke(StubImpl.java:2
50)
[java] at sign.SecurityPort_Stub.echo(SecurityPort_Stub.java:27)
[java] ... 1 more
[java] Exception in thread "main"
[java] Java Result: 1
thanks,
Nadeem.
Bruce Stephens <[email protected]> wrote:
Hello,
Have you tried going through the example:
http://webservice.bea.com/index.html#qz15 and making sure this works
OK
for you?
Also, try the following system properties to view more runtime security
information:
weblogic.xml.encryption.verbose=true
weblogic.xml.signature.verbose=true
HTH,
Bruce
Nadeem Ilkal wrote:
Hi,
I have a client application that adds a signature to the SOAP request.
(Most of
the code has been taken from "Writing the Java Code to Invoke a Secure
Non-WebLogic
Web Service" at http://e-docs.bea.com/wls/docs81/webserv/security.html)
Enabling the jvmarg verbose flag in build.xml indicates that the request
going
out has a wsse:Security element with a signature, binary and username
token.
The response from the server is as follows :
[java] <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:soapenc="http://sche
mas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><en
v:Header/><env:Body><env:Fault xmlns:fault="http://schemas.xmlsoap.org/ws/2002/0
7/secext"><faultcode>fault:FailedCheck</faultcode><faultstring>failed
security
c
heck for message body</faultstring></env:Fault></env:Body></env:Envelope>
After which i get a javax.xml.rpc.soap.SOAPFaultException: failed security
check
for message body.
I believe that i maybe getting this error because the server is unable
to verify
the signature for some reason. Am i missing something here?
Also please let me know if you need more information to diagnose the
problem.
thanks,
Nadeem.
[att1.html] -
SSL implementation not available ... Help!
Using WLS 7.0 SP2 on HP-UX and when attempting to establish an outoing SSL connection
I receive an "SSL implementation not available" exception.
In the International version of WLS 7.0 I am able to establish the SSL connection,
but when the same application is loaded into the same version of the Domestic
WLS, it produces the exception.
Usually I expect that exception when there is no appropriate CSP (Cryptographic
Service Provider) entry in JAVA_HOME/jre/lib/security/java.security? How does
one configure a Third Party CSP (Cryptographic Service Provider) for use in WLS?
I am trying to use the Sun CSP.
The code snippet that works on International WLS but not in Domestic WLS is below:
String target = "https://localhost/testApp/NotificationServlet";
URLConnection urlc = null;
URL targetWebService;
// load input file
// Construct the URL using the HTTPS URL stream handler
targetWebService = new URL(null, target, new Handler());
java.security.Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
urlc = targetWebService.openConnection();
urlc.setRequestProperty("Content-Type" , "text/xml" ) ;
((HttpURLConnection)urlc).setRequestMethod("POST") ; // It's a post request
urlc.setDoOutput(true);
urlc.setDoInput(true);
OutputStream os = urlc.getOutputStream() ;
os.write ( buf ) ;
os.flush() ;
os.close() ;
} catch (IOException ioex) {
System.out.println("PBM_APPLICATION_0252 Unable to connect to " + target
+ " " + ioex.getMessage());
} catch (Exception ex) {
System.out.println("PBM_APPLICATION_0252 Unable to connect to " + target
+ " " + ex.getMessage());
Thanks.In 7.0 SSL implementation used by weblogic tries to use JCE provider before defaulting
to its own. So, you should be able to make it use Sun's provider by moving it
in front in java.security file, or doing the same through api. In any case, even
when no JCE provider is configured, it should not fail. One of the reasons it
could fail, though, is if you do not have proper SSL license (i.e. trying to do
domestic strength encryption while having export license), but I think the error
message would be different in this case.
Are you passing weblogic.net.https.Handler to URL constructor? If yes, you can
try to set ssl debug flags on to get more info about the failure: -Dssl.debug=true
-Dweblogic.StdoutDebugEnabled=true
Pavel.
"L Selleck" <[email protected]> wrote:
>
Using WLS 7.0 SP2 on HP-UX and when attempting to establish an outoing
SSL connection
I receive an "SSL implementation not available" exception.
In the International version of WLS 7.0 I am able to establish the SSL
connection,
but when the same application is loaded into the same version of the
Domestic
WLS, it produces the exception.
Usually I expect that exception when there is no appropriate CSP (Cryptographic
Service Provider) entry in JAVA_HOME/jre/lib/security/java.security?
How does
one configure a Third Party CSP (Cryptographic Service Provider) for
use in WLS?
I am trying to use the Sun CSP.
The code snippet that works on International WLS but not in Domestic
WLS is below:
String target = "https://localhost/testApp/NotificationServlet";
URLConnection urlc = null;
URL targetWebService;
// load input file
// Construct the URL using the HTTPS URL stream handler
targetWebService = new URL(null, target, new Handler());
java.security.Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
urlc = targetWebService.openConnection();
urlc.setRequestProperty("Content-Type" , "text/xml" ) ;
((HttpURLConnection)urlc).setRequestMethod("POST") ; // It's a
post request
urlc.setDoOutput(true);
urlc.setDoInput(true);
OutputStream os = urlc.getOutputStream() ;
os.write ( buf ) ;
os.flush() ;
os.close() ;
} catch (IOException ioex) {
System.out.println("PBM_APPLICATION_0252 Unable to connect
to " + target
+ " " + ioex.getMessage());
} catch (Exception ex) {
System.out.println("PBM_APPLICATION_0252 Unable to connect
to " + target
+ " " + ex.getMessage());
Thanks. -
WLS (40-bit) to WLS (128 bit) installation
Hopefully this will help shed some light on the subject.
Terry
If you receive the following warning:
<I> <Security> WARNING: Exportable (weak) WebLogic Server build running and
domestic (full) strength SSL license detected. Only exportable strength SSL
connections will be accepted.
This indicates that you have a full strength certificate but a weak strength
build of the server. For full strength encryption there is a different WLS
build. The generally-available (weak/40-bit) version of WLS 5. 1 supports
512-bit certificates and 40-bit bulk data encryption. The full strength
(128-bit) WLS 5.1 build supports 768-bit and 1024-bit certificates and
128-bit bulk data encryption. Your sales contact can provide the required
forms and a special URL to download the full strength build of WebLogic.
The installation for the 128-bit version is the same as the installation for
the 40-bit version. When converting to the 128-bit version a complete
re-installation is necessary. If you are installing service packs, please
note that although Service Packs 1-5 are the same for both the 40-bit and
128-bit versions, SP6 for the 128-bit version is a controlled release. In
order to obtain SP6 for WLS 5.1 (128-bit), you will need to contact your
sales representative who will be able to provide a URL where it can be
downloaded.
Some other notes concerning the 128-bit installation. First, ensure that
you are using the permanent license that has been updated with the 128-bit
key. Second, for information on setting up WLS SSL (i.e. installing
1024-bit security certificates), please see the documentation at:
http://www.weblogic.com/docs51/classdocs/API_secure.html.
It is my understanding that the difference between the 40-bit and 128-bit
versions of WLS 5.1 is in the encryption/decryption module. Since the
difference is limited to this particular module, transitioning from the
40-bit to the 128-bit version should be transparent as far as WLCS (3.1.1
SP1 & 2.01 SP2) is concerned. This is supported by the fact that there is a
single version of WLCS for both domestic use and export use.
A couple of general notes concerning WLCS 3.1.1/2.0.1 installations running
on top of WLS 5.1 (40-bit or 128-bit) SP6:
WLCS 3.1.1: To date, support cases have not been received with a WLCS
3.1.1 installation running on top of WLS
5.1 (40-bit/128-bit) SP6 where SP6 has been determined to be the
problem.
WLCS 2.0.1: With one minor exception (see Solution S-05838 below),
support cases have not been received with a
WLCS 2.0.1 installation running on top of WLS 5.1 (40-bit/128-bit) SP6
where SP6 has been determined to be the
problem.
A couple of general notes concerning WLCS 2.01 and WLS 5.01 (40- or 128-bit)
Service Packs 1-6:
- There have been problems when using SP1, SP2 and SP3 for WLS 5.
- Therefore, SP4 (minimum) is required.
- To date, support cases have not been received where SP5 has been
determined to be a problem.
- There is one small issue related to SP6 (see Solution S-05838 below).
Otherwise, support cases have not been
received where SP6 has been determined to be a problem.
- Following the SP6 installation, all the JSPs will need to be
recompiled. Due to the custom tags used in WLCS 2.0.1,
the JSPs cannot be pre-compiled. Therefore, recompiling will occur as
the pages are accessed.
Please see the release notes that accompany each service pack downloads for
issues that are resolved with each particular
service pack.
Solution S-05838
A better solution to the problem: WLCS 2.0.1 only: DataLoader script causes
ASCClientException with WLS 5.1 SP6
Old Solution:
Use WLS 5.1 SP5 to run the DataLoader, THEN upgrade to SP6.
New Solution:
You can run the DataLoader without exceptions for WLCS 2.0.1 SP2 and WLS 5.1
SP6 if you modify the script to use t3 socket connections instead of http.
Open the DataLoader script for editing and change the two appearances of
"http://" to "t3://".You need to contact your sales rep and get the domestic strength version of
WLS.
Michael Girdley
Product Manager, WebLogic Server
BEA Systems Inc.
Ravi Kumar.T <[email protected]> wrote in message
news:8945ju$lu8$[email protected]..
Where to specify the no of bits for encryption for SSL. Is it depend on
verisign certificates installed!!
We are using we weblogic 4.5.1 on Solaris. and my site is having following
encryption
SSL 3.0, RC4 with 40 bit encryption (Low); RSA with 512 bit exchange
and I have seen some other sites are having
SSL 3.0, RC4 with 128 bit encryption (High); RSA with 1024 bit exchange
thanks..
ravi -
Failing PCI Compliance Scan - SSL Weak...
Hello,
I currently use the WRVS4400n v2 (latest update) for my small business. I store and transmit data that contains credit card information and need to be PCI compliant. Regardless of which settings I change on the router, like turning off remote management, I keep failing the scan. ControlScan uses Nessus and the results are below (2 vulnerabilities).
I did some research and spent some time with Cisco Sales Chat and they recommended a ASA5500 only to realize that it too had the same vulnerabilities. I did more research and it seemed that the SA520w (I need wireless) would do it but I found a thread on this forum saying that a client who had the SA520w did not pass the scan failed due to SSL vulerability (need v3+ ?). The thread is at https://supportforums.cisco.com/thread./2060512
Question: What router/appliance should I use to be PCI compliant? Three has to be something, we're talking, this is Cisco.
Thank you in advance for your help,
Christophe
Threat ID: 126928
Details:
IP Address: XX.XXX.X.XXX
Host: XX.XXX.X.XXX
Path:
THREAT REFERENCE
Summary:
SSL Weak Cipher Suites Supported
Risk: High (3)
Type: Nessus
Port: 60443
Protocol: TCP
Threat ID: 126928
Information From Target:
Here is the list of weak SSL ciphers supported by the remote server :
Low Strength Ciphers (< 56-bit key)
SSLv2
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
The fields above are :
{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
Solution:
Reconfigure the affected application if possible to avoid use of weak
ciphers.Details:
The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all.
Threat ID: 142873
Details:
IP Address: XX.XXX.X.XXX
Host: XX.XXX.X.XXX
Path:
THREAT REFERENCE
Summary:
SSL Medium Strength Cipher Suites Supported
Risk: High (3)
Type: Nessus
Port: 60443
Protocol: TCP
Threat ID: 142873
Information From Target:
Here are the medium strength SSL ciphers supported by the remote server :
Medium Strength Ciphers (>= 56-bit and < 112-bit key)
SSLv2
DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5
SSLv3
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
TLSv1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
The fields above are :
{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
Solution:
Reconfigure the affected application if possible to avoid use of
medium strength ciphers.Details:
The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits.Chris,
As i understand right now none of the Small Business router are PCI compliance ever since PCI 3.0 was released. How you overcome this; you'll need to forward any ports you are failing on to a ghost IP.. Ghost ip (any ip address that isn 't being used) If you are using those ports , then you will lose that service as the router isn't PCI 3.0 compliant.
Jason
I do believe the ASA5505 are PCI 3.0 Compliant. -
Airport Extreme Card wont connect to D-Link DIR-615 (wireless N router)
Hi, I got an old Mac G5 that has the airport extreme card in it and can't connect to the internet through with my D-Link DIR-615. I tried a couple options on a MAC but didn't work. I have a Laptop running Windows Vista and had no problem connecting. I'm using WPA for security and my password has 31 characters. Do you guys think That I have to change the length of my password to 26 or even less? Is there any guide that you guys may know that cuold help me on this issue?
Thanks a lot.
MasrochaPassword
40-bit hex
40-bit ASCII
128-bit hex
128-bit ASCII
LEAP
This would be telling me that your G5's AirPort is NOT "seeing" the D-Link's wireless network as encrypted with WPA, but with WEP instead. This typically can be caused by either the D-Link's current configuration is incompatible with the AirPort card or that there is something amiss with the AirPort card itself.
BTW, My D-Link has WEP, WAP-Personal and WAP-Enterprise
Ok, we will want to stick with either WEP or WPA-Personal.
We now have two choices: 1) Continue to troubleshoot additional configuration changes to the D-Link to try to get WPA to work with your G5, or 2) Switch to the lower strength encryption: WEP.
Which would you prefer to try?
Maybe you are looking for
-
HT5610 how do I deauthorize a pc that is not working
how do I deauthorize a pc that is not working
-
Hi I have one product table. i am trying to create Alias on Product table. In physical layer i was right clicked on Product table. It shows all options( like New object, Update row count, view data.......etc) when i am moving cursor on New object it
-
Hi, I'm not sure which forum to ask about this, but here goes. There are dozens and dozens of sites that claim to offer a multitude of TV stations to watch in HD and/or live for about $50 for the purchase of software. Below are several such sites, si
-
I want to use the expression edit control in a VC++ DLL, how?
Good morning, as mentioned I want to use the expression edit control in my DLL written with VSC++ 2005 MFC. But I ran into some problems: If I just add the ExpressionEdit control from the toolbar to my dialog then the dialog will not be shown during
-
Iphone 3rd party power cords stopped working
All of a sudden my third party power adapters are no longer working. Any one know why??