SSLv2 PCI Compliance Situation

BLechtenberg · ‎11-06-2007

I justed talked with the scanning company and said that they can’t connect sslv2 but they are able to pull the certificate with openssl and this why we are failing. Here is how they are testing using openssl client:

openssl s_client -host www.mysite.com -port 443 -ssl2

Does anyone have any idea how to block this?

I have applied the AppRules given to me by JTAC forcing SSLv23 browers to SSLv3 but when this scanning company test using their openssl they are still pulling the cert.

DJ · ‎11-01-2007

If you want to support IE 6 and earlier browsers I don't think there is a way to do it without blocking them outright by turning on sslv3 in your DX cluster. The certificate is public and in order to establish your connection you have to send the cert. Since IE starts it's connection with v2 there is really no way around it. As far as I know PCI calls for strong encryption of cardholder data. So by not allowing anything but sslv3 and above to establish a browser session you are in full compliance.

I would consider this a false positive in the testing tool.

If you have any more questions or concerns let me know.

DJ

DJ Skillman
Manager, Technical Marketing
DX Application Acceleration and Load Balancing

BLechtenberg · ‎11-06-2007

Thank you for explanation of this situation.

SSLv2 PCI Compliance Situation

Re: SSLv2 PCI Compliance Situation

Re: SSLv2 PCI Compliance Situation