Educause Security Discussion mailing list archives
Re: Certificates
From: "Flynn, Gary - flynngn" <flynngn () JMU EDU>
Date: Fri, 10 Sep 2010 11:47:38 +0000
And you’ll have to do that to comply with PCI requirements. Enabled weak ciphers and protocols will show up in a vulnerability scan and they’re scored at or above CVSS 4.0 at which level PCI mandates correction. For example, if you have a supporting web site with a “pay now” link leading to an outsourced processor. On 9/9/10 6:01 PM, "Mark Montague" <markmont () UMICH EDU> wrote: On September 9, 2010 17:45 , Michael Johnson <mjohnson () COMPLYGUARDNETWORKS COM> <mailto:mjohnson () COMPLYGUARDNETWORKS COM> wrote: Just a comment about the quality of certs… If you have anything to do with personally identifiable information going over the network via the SSL be sure you get at least 128b with less crypto turned OFF in order to be complaint with PCI and other requirements. I recommend that instead of trying to get a certificate that is labeled to not allow connections with strength of less than 128 bits, you configure your web server to disallow this and to also disallow known-weak protocols and cyphers. Configuring this in the web server rather than the certificate not only gives you more control but is more certain, in my opinion, and may save you money, too, depending on which certificate vendor you are using. As an example, here are the options I use for Apache HTTP Server 2.2.x: SSLProtocol ALL -SSLv2 SSLCipherSuite ALL:!NULL:!LOW:!EXP:!ADH This restricts the web server to using either SSLv3 or TLS only, together with 128 bit or stronger encryption. -- Mark Montague markmont () umich edu
Current thread:
- Intermediate Certificate Nate Johnson (Sep 09)
- Re: Intermediate Certificate Alex Keller (Sep 09)
- Certificates John Kaftan (Sep 09)
- Re: Certificates Alex Keller (Sep 09)
- Re: Certificates Michael Johnson (Sep 09)
- Re: Certificates Mark Montague (Sep 09)
- Re: Certificates Flynn, Gary - flynngn (Sep 10)
- Certificates John Kaftan (Sep 09)
- Re: Certificates Jack Suess (Sep 09)
- Re: Intermediate Certificate Alex Keller (Sep 09)