We are trying to get PCI Compliance to be able to do credit card processing.
We have resolved all the issues but for the "Weak Supported SSL Ciphers
Suites on https(443/tcp)".
In a typical environment this is normally set at tomcat configuration/apache
configuration level and in ofbiz these setting are in
ofbiz-container.xml(root/frameworks/base/config). Any help to fine tune to
configuration to solve this risk is greatly appreciated
Our current setting:
server - linux, centOS5
ssl certificate - supports upto 256-bit encryption
security protocol used - TLSv1 (ofbiz_container.xml)
cipher suite - "HIGH:MEDIUM:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!LOW" (Basically
allows only high and medium ciphers of either SSLv3 or
TLSv1)(ofbiz_container.xml)
PCI rejection error:
Risk factor : Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Here is the list
of weak SSL ciphers supported by the remote server : Low Strength
Ciphers (< 56-bit key) SSLv3 EXP-EDH-RSA-DES-CBC-SHA
Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40)
Mac=SHA1 export EXP-RC4-MD5 Kx=RSA(512)
Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40)
Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512)
Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC4-MD5
Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export The fields above are : {OpenSSL ciphername} Kx={key
exchange} Au={authentication} Enc={symmetric encryption method}
Mac={message authentication code} {export flag}
--
View this message in context:
http://www.nabble.com/PCI-compliance-issue---week-ciphers-are-enabled-by-default-tp25273745p25273745.html
Sent from the OFBiz - User mailing list archive at Nabble.com.
