I just finished a long conference call with my PCI compliant provider and VISA.
After testing on several servers I found some weakness in the current SSLCipherSuite in both webmin and usermin plus normal SSL sites.
The following information came from testing at https://www.ssllabs.com/ssldb/ and info from http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html
The Cipher's that both my PCI provider and I came up with that will be the best security for any SSL attacks is.....
ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:!MD5:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM
For apache these lines are now required by my PCI provider and other providers will be contacted to update their requirements in a few days.
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:!MD5:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM
Both Webmin and Usermin must be updated to use those Cipher's in that order to maintain PCI compliance.
I will be updating my PCI docs to include the new settings that will be required.
If anyone has questions you can contact me directly via email (sgrayban[at]gmail.com) or via phone +1.509.279.0985
Comments
Submitted by JamieCameron on Thu, 10/27/2011 - 16:43 Comment #1
That sounds like it should be relatively easy to make into the new defaults ...
Do you know if there are going to be any Apache or browser version issues though?
Submitted by sgrayban on Thu, 10/27/2011 - 17:05 Comment #2
There are no known issues with apache or any current browser.
I tested FF, Chrome, Opera and Konqueror.