简体繁体 English

Trustwave扫描（PCI DSS）失败

[英]Trustwave scanning ( PCI DSS ) failed

原文 2016-01-04 05:54:00 8 2 security/ pci-compliance

My company providing servers with PCI complains. 我的公司向服务器提供PCI投诉。 My client did a scan (Trustwave scan) but the dispute 'SSL/TLS Weak Encryption Algorithms' was denied and they provided following information. 我的客户进行了扫描（Trustwave扫描），但是“ SSL / TLS弱加密算法”争议被拒绝，他们提供了以下信息。

====== ======
Description: The SSL-based service running on this host appears to support the use of "weak" ciphers such as: 说明：在此主机上运行的基于SSL的服务似乎支持“弱”密码的使用，例如：

Ciphers suites that have key-lengths of less than 128 bits. 密钥长度小于128位的密码套件。
Ciphers suites using anonymous Diffie-Hellman algorithms (no authentication). 使用匿名Diffie-Hellman算法的密码套件（无身份验证）。
Ciphers suites offering no encryption. 密码套件不提供加密。
Ciphers suites using pre-shared keys. 使用预共享密钥的密码套件。
Ciphers suites using RC4 or MD5 使用RC4或MD5的密码套件
Evidence: Cipher Suite: TLSv1 : RC4-SHA 证据：密码套件：TLSv1：RC4-SHA

My Server details:- 我的服务器详细信息：-

CLOUDLINUX 5.11 x86_64 WHM 11.52.1 SSH version : OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008. CLOUDLINUX 5.11 x86_64 WHM 11.52.1 SSH版本：OpenSSH_4.3p2，OpenSSL 0.9.8e-fips-rhel5 2008年7月1日。

Can somebody explain me what it is and fix for this issue? 有人可以解释一下这是什么并解决此问题吗？

2 个解决方案

This happned because in your Web Server you have enabled this cipher suits. 发生这种情况的原因是，在您的Web服务器中，您启用了此密码套件。 Disable all this ciphers from your web server's config file and only provide AES ciphers. 从您的Web服务器的配置文件中禁用所有这些密码，仅提供AES密码。 then you can also check for the cipher suits here https://www.ssllabs.com/ssltest/ 那么您也可以在这里查看密码套件https://www.ssllabs.com/ssltest/

Your https config is weak and so potentially insecure if anyone really wanted to break it. 您的https配置很弱，因此如果有人真的想破坏它，则可能不安全。

Run your website through https://www.ssllabs.com/ssltest/ and it will show all the issues with your SSL config setup which should mirror the report you got. 通过https://www.ssllabs.com/ssltest/运行您的网站，它将显示SSL配置设置中的所有问题，这些问题将反映您得到的报告。 You can probably get rid of some of the reds errors it will undoubtedly throw up and get a C grade by updating your web server config. 通过更新Web服务器配置，您可能会摆脱一些毫无疑问的reds错误，并且会获得C级。 How exactly you do this will depend on your web server which you have not listed (Apache at a guess?). 具体如何执行将取决于您尚未列出的Web服务器（猜测是Apache？）。

However one of your big problems is going to be your old version of OpenSSL (0.9.8) which does not support TLSv1.1 or TLSv1.2. 但是，您的主要问题之一将是您的旧版本的OpenSSL（0.9.8）不支持TLSv1.1或TLSv1.2。 These will soon be required for PCI compliance ( though they have just pushed back the date of that ). PCI合规性将很快需要这些（尽管它们只是推迟了日期）。 It's time to update to a more modern version of OpenSSL and then configure your server to use those the more modern security settings that allows. 现在是时候更新到OpenSSL的更新版本，然后将服务器配置为使用允许的更现代的安全设置。

Upgrading OpenSSL might be tricky though and might require upgrading/reinstalling web server too. 不过，升级OpenSSL可能很棘手，并且可能还需要升级/重新安装Web服务器。 Seek professional advice on how to handle this. 寻求有关如何处理此问题的专业建议。