Re: HIPPA supported ciphers
Kihaguru Gathura writes: [...] > TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Non-compliant with HIPAA guidance > TLS_RSA_WITH_CAMELL TLS_RSA_WITH_CAMELLIA_128_CBC_SHA Non-compliant > with HIPAA guidance > TLS_RSA_WITH_CAMELLIA_128_CBC_SHA Non-compliant with HIPAA guidance > Under what circumstances could these ciphers be not considered for > HIPPA compliance? These aren't known to the HIPAA standard, and it doesn't allow unknown ciphers. Just disable the Camellia ciphers and you'll pass the validation. You'll run into similar issues passing PCI-DSS. We use the following settings to make the various validators happy: ssl_ciphers "HIGH:!DES:!3DES:!CHACHA20:!RC4:!MD5:!aNULL:!EDH:!CAMELLIA"; ssl_prefer_server_ciphers on; --lyndon
Re: HIPPA supported ciphers
On 6/21/19 12:43 AM, Kihaguru Gathura wrote: > OpenBSD 6.5 (GENERIC.MP) #84: Wed Apr 17 05:53:43 MDT 2019 > > Hi, > > SSL compliance tests below refers. (htbridge) > > > 2:SUPPORTED CIPHERS > TLSv1.2 > TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Non-compliant with HIPAA guidance > TLS_RSA_WITH_CAMELL TLS_RSA_WITH_CAMELLIA_128_CBC_SHA Non-compliant > with HIPAA guidance > TLS_RSA_WITH_CAMELLIA_128_CBC_SHA Non-compliant with HIPAA guidance > > Under what circumstances could these ciphers be not considered for > HIPPA compliance? They could be things that aren't on the list that was compiled ten years ago, they could be sub-optimal options that are still in widespread use today. You are asking the wrong people. Talk to your compliance people and/or auditors. Do what they tell you to do, it's easier than reasoning with them. Remember: Security is important for ethical reasons. Compliance is important for legal reasons. The key to workplace contentment is understanding they are unrelated to each other. Both are important, but one does not lead to the other. And audits go better when the auditor finds something to complain about and get you to change. Nick.
HIPPA supported ciphers
OpenBSD 6.5 (GENERIC.MP) #84: Wed Apr 17 05:53:43 MDT 2019 Hi, SSL compliance tests below refers. (htbridge) 2:SUPPORTED CIPHERS TLSv1.2 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Non-compliant with HIPAA guidance TLS_RSA_WITH_CAMELL TLS_RSA_WITH_CAMELLIA_128_CBC_SHA Non-compliant with HIPAA guidance TLS_RSA_WITH_CAMELLIA_128_CBC_SHA Non-compliant with HIPAA guidance Under what circumstances could these ciphers be not considered for HIPPA compliance? Regards, Kihaguru.