Re: HIPPA supported ciphers

2019-06-22 Thread Lyndon Nerenberg 
Kihaguru Gathura writes:
[...]
> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Non-compliant with HIPAA guidance
> TLS_RSA_WITH_CAMELL TLS_RSA_WITH_CAMELLIA_128_CBC_SHA Non-compliant
> with HIPAA guidance
> TLS_RSA_WITH_CAMELLIA_128_CBC_SHA Non-compliant with HIPAA guidance

> Under what circumstances could these ciphers be not considered for
> HIPPA compliance?

These aren't known to the HIPAA standard, and it doesn't allow
unknown ciphers. Just disable the Camellia ciphers and you'll pass
the validation.

You'll run into similar issues passing PCI-DSS.  We use the following
settings to make the various validators happy:

ssl_ciphers "HIGH:!DES:!3DES:!CHACHA20:!RC4:!MD5:!aNULL:!EDH:!CAMELLIA";
ssl_prefer_server_ciphers on;

--lyndon

Re: HIPPA supported ciphers

2019-06-21 Thread Nick Holland 
On 6/21/19 12:43 AM, Kihaguru Gathura wrote:
> OpenBSD 6.5 (GENERIC.MP) #84: Wed Apr 17 05:53:43 MDT 2019
> 
> Hi,
> 
> SSL compliance tests below refers. (htbridge)
> 
> 
> 2:SUPPORTED CIPHERS
> TLSv1.2
> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Non-compliant with HIPAA guidance
> TLS_RSA_WITH_CAMELL TLS_RSA_WITH_CAMELLIA_128_CBC_SHA Non-compliant
> with HIPAA guidance
> TLS_RSA_WITH_CAMELLIA_128_CBC_SHA Non-compliant with HIPAA guidance
> 
> Under what circumstances could these ciphers be not considered for
> HIPPA compliance?

They could be things that aren't on the list that was compiled ten years
ago, they could be sub-optimal options that are still in widespread use
today.  You are asking the wrong people.  Talk to your compliance people
and/or auditors.

Do what they tell you to do, it's easier than reasoning with them.

Remember: Security is important for ethical reasons.  Compliance is
important for legal reasons.  The key to workplace contentment is
understanding they are unrelated to each other.  Both are important, but
one does not lead to the other.

And audits go better when the auditor finds something to complain about
and get you to change.

Nick.

HIPPA supported ciphers

2019-06-21 Thread Kihaguru Gathura 
OpenBSD 6.5 (GENERIC.MP) #84: Wed Apr 17 05:53:43 MDT 2019

Hi,

SSL compliance tests below refers. (htbridge)


2:SUPPORTED CIPHERS
TLSv1.2
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Non-compliant with HIPAA guidance
TLS_RSA_WITH_CAMELL TLS_RSA_WITH_CAMELLIA_128_CBC_SHA Non-compliant
with HIPAA guidance
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA Non-compliant with HIPAA guidance

Under what circumstances could these ciphers be not considered for
HIPPA compliance?

Regards,

Kihaguru.