DX - Load Balancing & Application Acceleration
Highlighted
DX - Load Balancing & Application Acceleration

SSLv2 PCI Compliance Situation

12.07.07   |  
‎12-07-2007 12:54 PM

I justed talked with the scanning company and said that they can’t connect sslv2 but they are able to pull the certificate with openssl and this why we are failing.  Here is how they are testing using openssl client:

openssl s_client -host www.mysite.com -port 443 -ssl2

Does anyone have any idea how to block this?

I have applied the AppRules given to me by JTAC forcing SSLv23 browers to SSLv3 but when this scanning company test using their openssl they are still pulling the cert.

2 REPLIES
DX - Load Balancing & Application Acceleration

Re: SSLv2 PCI Compliance Situation

12.07.07   |  
‎12-07-2007 04:08 PM
If you want to support IE 6 and earlier browsers I don't think there is a way to do it without blocking them outright by turning on sslv3 in your DX cluster. The certificate is public and in order to establish your connection you have to send the cert. Since IE starts it's connection with v2 there is really no way around it. As far as I know PCI calls for strong encryption of cardholder data. So by not allowing anything but sslv3 and above to establish a browser session you are in full compliance.

I would consider this a false positive in the testing tool.

If you have any more questions or concerns let me know.

DJ
DJ Skillman
Manager, Technical Marketing
DX Application Acceleration and Load Balancing
DX - Load Balancing & Application Acceleration

Re: SSLv2 PCI Compliance Situation

12.07.07   |  
‎12-07-2007 04:40 PM
Thank you for explanation of this situation.
Announcements

DX SERIES

The Juniper Networks DX application acceleration platform delivers a complete data center acceleration solution for Web-enabled and IP-based business applications.

RSS Icon