Trustwave failing PCI compliance SSL/TLS Weak Encryption Algorithms on Port 443

GregWilliamBryant

Registered
May 10, 2018
1
0
1
UK
cPanel Access Level
Root Administrator
Trustwave failing PCI compliance SSL/TLS Weak Encryption Algorithms on Port 443 even though SSLCipherSuite disables them.


I’ve search a number of posts on this topic but have been unable to find a solution to my problem.


I am currently failing PCI compliance on:


SSL/TLS Weak Encryption Algorithms:

Evidence:

TLSv1_2 : AECDH-DES-CBC3-SHA

TLSv1_2 : AECDH-AES128-SHA

TLSv1_2 : AECDH-AES256-SHA


And

Block cipher algorithms with block size of 64 bits (like DES and 3DES) birthday attack known as Sweet32:

Evidence:

TLSv1_2 : ECDHE-RSA-DES-CBC3-SHA

TLSv1_2 : AECDH-DES-CBC3-SHA

TLSv1_2 : DES-CBC3-SHA

Although I have my SSL Cipher Suite to disable these Algorithms:

SSL Cipher Suite [?]

HIGH:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!ECDHE-RSA-DES-CBC3-SHA:!AECDH-DES-CBC3-SHA:!DES-CBC3-SHA:!AECDH-AES256-SHA:!AECDH-AES128-SHA:!AECDH-DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!SSLv2:!SSLv3

SSL/TLS Protocols [?]

All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1


Have I miss interpreted something? Help is appreciated and welcomed!
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,250
463

rulerofzu

Registered
Mar 20, 2011
4
1
53
I had this come up on my PCI scans this month. The scanning company stated it was due to SHA-1 then rambled on about the Google sunset.

After triple checking everything I couldnt find any issue so I asked them to manually check my SSL at ssllabs.com and they then logged it as a false positive and passed my scan.

Worth a thought before you drive yourself mad running scans and not being able to resolve it!
 
  • Like
Reactions: cPanelMichael