DX - Load Balancing & Application Acceleration
Reply
Juniper Employee
BLechtenberg
Posts: 5
Registered: ‎11-06-2007
0

SSLv2 PCI Compliance Situation

I justed talked with the scanning company and said that they can’t connect sslv2 but they are able to pull the certificate with openssl and this why we are failing.  Here is how they are testing using openssl client:

openssl s_client -host www.mysite.com -port 443 -ssl2

Does anyone have any idea how to block this?

I have applied the AppRules given to me by JTAC forcing SSLv23 browers to SSLv3 but when this scanning company test using their openssl they are still pulling the cert.

DJ
Contributor
DJ
Posts: 24
Registered: ‎11-01-2007
0

Re: SSLv2 PCI Compliance Situation

If you want to support IE 6 and earlier browsers I don't think there is a way to do it without blocking them outright by turning on sslv3 in your DX cluster. The certificate is public and in order to establish your connection you have to send the cert. Since IE starts it's connection with v2 there is really no way around it. As far as I know PCI calls for strong encryption of cardholder data. So by not allowing anything but sslv3 and above to establish a browser session you are in full compliance.

I would consider this a false positive in the testing tool.

If you have any more questions or concerns let me know.

DJ
DJ Skillman
Manager, Technical Marketing
DX Application Acceleration and Load Balancing
Juniper Employee
BLechtenberg
Posts: 5
Registered: ‎11-06-2007
0

Re: SSLv2 PCI Compliance Situation

Thank you for explanation of this situation.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.