PCI Compliance - TLS 1.1, smtpd_tls_mandatory_protocols

  • bill56
  • 05/10/11
  • Offline
Posted: Wed, 2012-09-12 07:40

Hello:

The SecurityMetrics PCI cops are after me again.

They say:

Resolution: Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported. Configure SSL/TLS servers to only support cipher suites that do not use block ciphers. Apply patches if available. Note that additional configuration may be required after the installation of the MS12-006 security update in order to enable the split-record countermeasure. See http://support.microsoft.com/kb/2643584 for details. Risk Factor: Medium/ CVSS2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) CVE: CVE-2011-3389

Checked my server at ssllabs.com (great tool to check your SSL by the way) and it reports:

Protocols TLS 1.2 No TLS 1.1 No TLS 1.0 Yes SSL 3.0 Yes SSL 2.0 No

SSL Labs seems to indicate that my current configuration is ok, and is "best practice":

• TLS v1.1 and v1.2 are without known security issues. Unfortunately, many server and client platforms do not support these newer protocol versions. The best practice is to use TLS v1.0 as your main protocol (making sure the BEAST attack is mitigated in configuration, as explained in subsequent sections) and TLS v1.1 and v1.2 if they are supported by your server platform. That way, the clients that support newer protocols will select them, and those that don’t will fall back to TLS v1.0. You should always use the most recent versions of the protocol for security and the oldest (yet still secure) versions for interoperability with your customer base.

However, SecurityMetrics thinks otherwise. How can I fix this to become PCI compliant without breaking my server?

Thanks,

Bill


Howdy, The SecurityMetrics

  • andreychek
  • 01/05/09
  • Online Now
  • Wed, 2012-09-12 08:33

Howdy,

The SecurityMetrics PCI cops are after me again.

They're a very persistent bunch :-)

Which distro/version is it that you're using?

And which service(s) is it that they're giving you a hard time about?

-Eric


Hi Eric: Yes, they are

  • bill56
  • 05/10/11
  • Offline
  • Wed, 2012-09-12 09:22

Hi Eric:

Yes, they are :-(

CentOS Linux 5.8 Kernel and CPU Linux 2.6.18-308.13.1.el5 on x86_64 Virtualmin version 3.94.gpl GPL Webmin version 1.590

The services are: TCP 110 pop3 TCP 443 https TCP 993 imaps TCP 143 imap TCP 995 pop3s TCP 587 submission TCP 25 smtp

The above have this message: Resolution: Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported. Configure SSL/TLS servers to only support cipher suites that do not use block ciphers. Apply patches if available. Note that additional configuration may be required after the installation of the MS12-006 security update in order to enable the split-record countermeasure. See http://support.microsoft.com/kb/2643584 for details. Risk Factor: Medium/ CVSS2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) CVE: CVE-2011-3389

Also these services: TCP 587 submission TCP 25 smtp

Which have this message: Resolution: Configure the service to support less secure authentication mechanisms only over an encrypted channel. Risk Factor: Medium/ CVSS2 Base Score: 4.0 AV:N/AC:H/Au:N/C:P/I:N/A:N

-Bill


Howdy, Well, there's some

  • andreychek
  • 01/05/09
  • Online Now
  • Wed, 2012-09-12 11:09

Howdy,

Well, there's some details here in this PCI compliance doc on configuring the ciphers used by your various services:

https://www.virtualmin.com/documentation/security/pci

Now, they aren't disabling TLS v1.0, but you may be able to get a good idea of how all that might work from the examples there.

Here's the trouble though -- I'm not sure if it'll work on your distro.

For example, here are the docs on how to configure all that in Postfix:

http://www.postfix.org/postconf.5.html#smtpd_tls_mandatory_protocols

They mention that TLS 1.1 and 1.2 is only available beginning with OpenSSL version 1.0.1, and the version provided with CentOS 5.x is openssl-0.9.8e.

However, you could always give it a try and see what happens :-)

-Eric


Eric:After a lot of

  • bill56
  • 05/10/11
  • Offline
  • Tue, 2012-09-18 23:36

Eric:

After a lot of digging, I found a way to install OpenSSL version 1.0.1c on CentOS 5.x here:

www.axivo.com/community/threads/upgrade-to-openssl-1-0-1-in-centos.180/

Did the install per the instructions and system now shows:

openssl version

OpenSSL 1.0.1c 10 May 2012

I have in httpd.conf:

SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite HIGH:!aNULL:!MD5

Scan shows TLS 1.0 is only protocol running - no TLS 1.1 or TLS 1.2

http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslprotocol says:

SSLProtocol ALL - This is a shortcut for - when using OpenSSL 1.0.1 and later - ``+SSLv2 +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2'', respectively.

So it seems TLS 1.1 and TLS 1.2 should work, but they are not working.

What do I have wrong?

Thanks, Bill


Howdy, Chances are that

  • andreychek
  • 01/05/09
  • Online Now
  • Wed, 2012-09-19 00:11

Howdy,

Chances are that you'd need to do more than just install a newer version of OpenSSL... you'd probably also need to compile Apache against that particular OpenSSL version.

I haven't tried what you're trying to do before, and there may be other gotchas as well... but if just installing a newer OpenSSL version doesn't allow you to use the ciphers you need, you may need to recompile Apache.

And that's a pretty big project :-)

Is using a newer CentOS distro (ie, CentOS 6) an option?

But, it should indeed be possible to recompile Apache.

-Eric