Submitted by sgrayban on Mon, 01/09/2012 - 02:37
PCI compliance has changed. The new cyphers must use
ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:MEDIUM:+TLSv1:!MD5:!SSLv2:+SSLv3:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM
from now.
Please make the code changes in both webmin and usermin.
Just a thought but wouldn't it be a good idea to set that as the default cypher list for any SSL site ?
Status:
Closed (fixed)
Comments
Submitted by andreychek on Mon, 01/09/2012 - 10:15 Comment #1
Submitted by JamieCameron on Mon, 01/09/2012 - 16:26 Comment #2
I've updated the default cipher list to those listed .. also, Virtualmin will use these by default for SSL on new installs.
BTW, where did you get this cipher list from?
Submitted by sgrayban on Mon, 01/09/2012 - 16:34 Comment #3
It came from this bug report https://www.virtualmin.com/node/19992
Essentially VISA agreed that the TLS attack is valid and should be blocked either by enforcing the cyphers I and others suggested or by patch. Since no one so far can verify a patch was done on any browser or system other then Opera VISA is now requiring these cyphers be used regardless if the system was patched or not.
Submitted by sgrayban on Mon, 01/09/2012 - 16:35 Comment #4
Also the new cyphers are listed in my How to be PCI compliant document.
Submitted by sgrayban on Mon, 01/09/2012 - 16:41 Comment #5
The TLS vulnerability test can be done at https://www.ssllabs.com/ssldb/
When I do mine that TLS attack will not work on my server...
Test date Mon Jan 09 22:38:39 UTC 2012
Test duration 45.911 seconds
Server signature Apache
Server hostname borgnet.net
Session resumption Yes
BEAST attack Not vulnerable
Secure Renegotiation Supported, with client-initiated renegotiation disabled
Insecure Renegotiation Not supported
Strict Transport Security No
TLS version tolerance 0x0304: 0x301; 0x0399: 0x301; 0x0499: fail
PCI compliant Yes
FIPS-ready No
Ephemeral DH Not seen
If the BEAST attack is there it will be shown in RED and also listed in the summary.
Submitted by Issues on Mon, 01/23/2012 - 16:45 Comment #6
Automatically closed -- issue fixed for 2 weeks with no activity.