cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1515
Views
8
Helpful
6
Replies

PCI scan on the firewall

siddhartham
Level 4
Level 4

We got the below alert when we ran the PCI scan on our VPN firewall (use it for remote access VPN), did anyone come across this?

OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Ciphersuite Disabled Cipher Issue

Solution-

Upgrade to OpenSSL 0.9.8j or later.

ASA 5510 running  8.2(2)

Siddhartha       

Siddhartha
6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

I have seen a similar issue reported by an external auditor when for the ASA firewall, the "medium" and "weak" SSL ciphers were reported as supported. You can harden the ASA with the setting:

     ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 rc4-md5

...applied from the command line.  The ciphers listed in that command are all "strong" and should result in the scan being successful. This should not impact any clients running anything like a modern browser.

You can find the equivalent commands in ASDM under “Configuration, Remote Access VPN, Advanced, SSL Settings”. Just make the menu picks so that only the above-listed algorithms are in the “Active Algorithms” list.

Thanks Marvin, Will make the change and see if it resolves the issue.

Siddhartha

Siddhartha

Marvin,

I removed that SSL cipher and ran the scan again but still getting the error, below is the output from my ASA.

any other work around?

vpn# sh run all ssl

ssl server-version any

ssl client-version any

ssl encryption aes256-sha1 aes128-sha1 3des-sha1

ssl trust-point ASDM_TrustPoint1 outside

Siddhartha

Siddhartha

Anyone...?

Siddhartha

Siddhartha

Hi Siddhartham,

I think Marvin is correct in his explaination, the change in accepted Cipher suites should fix the problem. I think you have to contact the PCI scan company about a False-Positive, the Bug mentioned by them works by switching to lower cipher suite in the middle of the connection but since you are not supporting any medium or lower security ciphers it should affect you.

here's a good read on this security violation :-

http://www.openssl.org/news/secadv_20101202.txt

Also, you might be able to get rid of this issue completely by updating to lastest code running on your ASA from Cisco which might be build on newer version of open_ssl.

Thanks

Manish

Thanks guys. Upgrading the firewall to 8.4.3 resolved the issue.

Siddhartha

Siddhartha
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: