AAAAAAAUUUUGGGGHHH! <RANT> If anyone "fails" you on an assessment without providing guidance on resolution/remediation/mitigation, your payment to them should "fail" to appear. Who was this, those (in my personal *opinion*) monkey sodomizing rat bastards at Security Metrics? Or just another Qualys scan pusher without a clue or care?
I believe the appropriate questions are things like "what is exposed by this", "what are the likelihood and impacts of compromise", "can we mitigate a fundamental flaw in the protocol with additional processes", etc? I'm still explaining to idiots like this why TCP 587 is listening on mail servers. </RANT> As far as mitigation, maybe a patched proxy in front of the SSL/TLS device(s) could handle it? Or maybe nothing significant is actually exposed by this? <SHAMELESS SELF PROMOTION> This kind of crap is what led me to get involved in an ongoing PCI DSS conversation with a bunch of people- podcasts, articles, and talks to come. I'll be on a panel at Shmoocon with some folks who actually know what they're talking about, we'll be discussing the realities of PCI and its impact on our industry. </SHAMELESS SELF PROMOTION> Who, me, too much caffeine? Nah. Jack -- ______________________________________ Jack Daniel, Reluctant CISSP http://twitter.com/jack_daniel http://www.linkedin.com/in/jackadaniel http://blog.uncommonsensesecurity.com On Mon, Dec 21, 2009 at 5:09 AM, Monkey Daemon <[email protected]> wrote: > Hi All, > > I've been speaking to a family member over the weekend who works in a > similar line of work to myself and we got to talking about PCI > Compliance. > > He's just had a quarterly scan performed and he failed it owing to the > issues with Session Negotiation when using SSL/TLS. The problem he > has is that he's running Linux and not only has his distro not > released packages for OpenSSL 0.9.8l but the distro vendor is refusing > to issue a patch stating that as its an issue with the underlying > protocol there is no point. > > Does anyone have a fix to this other than "compile your own SSL with > negotiation switched off and hope nothing breaks"? > > I'm now concerned that when our scan comes around early next year we > will also fail. > > Cheers, > > MWD. _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
