Re: Certificates

["Flynn, Gary - flynngn" <flynngn () JMU EDU>]

And you’ll have to do that to comply with PCI requirements. Enabled weak ciphers and protocols will show up in a 
vulnerability scan and they’re scored at or above CVSS 4.0 at which level PCI mandates correction. For example, if you 
have a supporting web site with a “pay now” link leading to an outsourced processor.



On 9/9/10 6:01 PM, "Mark Montague" <markmont () UMICH EDU> wrote:

 On September 9, 2010 17:45 , Michael Johnson <mjohnson () COMPLYGUARDNETWORKS COM> <mailto:mjohnson () 
COMPLYGUARDNETWORKS COM>  wrote:



Just a comment about the quality of certs…

If you have anything to do with personally identifiable information going over the network via the SSL be sure you get 
at least 128b with less crypto turned OFF in order to be complaint with PCI and other requirements.



 I recommend that instead of trying to get a certificate that is labeled to not allow connections with strength of less 
than 128 bits, you configure your web server to disallow this and to also disallow known-weak protocols and cyphers.  
Configuring this in the web server rather than the certificate not only gives you more control but is more certain, in 
my opinion, and may save you money, too, depending on which certificate vendor you are using.  As an example, here are 
the options I use for Apache HTTP Server 2.2.x:

 SSLProtocol ALL -SSLv2
 SSLCipherSuite ALL:!NULL:!LOW:!EXP:!ADH

 This restricts the web server to using either SSLv3 or TLS only, together with 128 bit or stronger encryption.



--
  Mark Montague
  markmont () umich edu