This perl script came up in Google from: www.linux-advocacy.org/wp-content/
Not quite sure who the author of that code was/is.
Month: August 2008
PCI scan picking up various weak cipher suites
The PCI scans appear to be picking up some weak cipher suites on HTTPS, POP3S, IMAPS and SMTPS. This is easily fixed with the following configuration file examples:
Apache ssl.conf (or httpd.conf ):
#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
#SSLCipherSuite ALL:-ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
SSLProtocol -ALL +SSLv3 +TLSv1
If using courier for imap & pop3 the imapd-ssl and pop3d-ssl files will need updating in /etc/courier-imap, or, where ever the configuration files are.
imapd-ssl:
TLS_CIPHER_LIST=”HIGH:MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH”
pop3d-ssl:
TLS_CIPHER_LIST=”HIGH:MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH”
And if using qmail for SMTP/s you may need to create the tlsserverciphers file in /var/qmail/control/. You can do this with:
openssl ciphers > /var/qmail/control/tlsserverciphers
Then remove the ciphers that PCI are complaining about. In this case they were: EXP-RC2-CBC-MD5, EXP-RC4-MD5, EXP-EDH-RSA-DES-CBC-SHA, EXP-DES-CBC-SHA, EXP-RC2-CBC-MD5, EXP-RC4-MD5, EXP-EDH-RSA-DES-CBC-SHA, EXP-DES-CBC-SHA, EXP-RC2-CBC-MD5,EXP-RC4-MD5
Or, even better:
Directory: /etc/httpd/conf.d/
File: /etc/httpd/conf.d/zz050-psa-disable-weak-ssl-ciphers.conf
SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
SSLProtocol -ALL +SSLv3 +TLSv1 -SSLv2
Directory: /var/qmail/control/
[root@server control]# cat tlsserverciphers
ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:+HIGH:!MEDIUM:-SSLv2
[root@server1 control]# cat tlsclientciphers
ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:-SSLv2
Directory: /etc/courier-imap
[root@server courier-imap]# grep TLS_CIPHER_LIST= *-ssl
imapd-ssl:TLS_CIPHER_LIST=”HIGH:MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH”
pop3d-ssl:TLS_CIPHER_LIST=”HIGH:MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH”
I tested this by removing one of the above and trying to connect:
# openssl s_client -cipher EXP-RC4-MD5 -connect localhost:smtps
CONNECTED(00000003)
25857:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:489:
Then I put it back in the list and tried again and could connect again. Manually connections with: openssl s_client -ssl2 -connect host:port
Update 25/02/2010:
Additional URLs: