Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Trustwave failing PCI compliance SSL/TLS Weak Encryption Algorithms on Port 443

Discussion in 'Security' started by GregWilliamBryant, May 10, 2018.

Tags:
  1. GregWilliamBryant

    GregWilliamBryant Registered

    Joined:
    May 10, 2018
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Trustwave failing PCI compliance SSL/TLS Weak Encryption Algorithms on Port 443 even though SSLCipherSuite disables them.


    I’ve search a number of posts on this topic but have been unable to find a solution to my problem.


    I am currently failing PCI compliance on:


    SSL/TLS Weak Encryption Algorithms:

    Evidence:

    TLSv1_2 : AECDH-DES-CBC3-SHA

    TLSv1_2 : AECDH-AES128-SHA

    TLSv1_2 : AECDH-AES256-SHA


    And

    Block cipher algorithms with block size of 64 bits (like DES and 3DES) birthday attack known as Sweet32:

    Evidence:

    TLSv1_2 : ECDHE-RSA-DES-CBC3-SHA

    TLSv1_2 : AECDH-DES-CBC3-SHA

    TLSv1_2 : DES-CBC3-SHA

    Although I have my SSL Cipher Suite to disable these Algorithms:

    SSL Cipher Suite [?]

    HIGH:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!ECDHE-RSA-DES-CBC3-SHA:!AECDH-DES-CBC3-SHA:!DES-CBC3-SHA:!AECDH-AES256-SHA:!AECDH-AES128-SHA:!AECDH-DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!SSLv2:!SSLv3

    SSL/TLS Protocols [?]

    All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1


    Have I miss interpreted something? Help is appreciated and welcomed!
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,145
    Likes Received:
    1,754
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
  3. rulerofzu

    rulerofzu Registered

    Joined:
    Mar 20, 2011
    Messages:
    4
    Likes Received:
    1
    Trophy Points:
    51
    I had this come up on my PCI scans this month. The scanning company stated it was due to SHA-1 then rambled on about the Google sunset.

    After triple checking everything I couldnt find any issue so I asked them to manually check my SSL at ssllabs.com and they then logged it as a false positive and passed my scan.

    Worth a thought before you drive yourself mad running scans and not being able to resolve it!
     
    cPanelMichael likes this.
Loading...

Share This Page