PCI scan failure for SSL Certificate with Wrong Hostname?

Posted by Rob Mangiafico on Server Fault See other posts from Server Fault or by Rob Mangiafico
Published on 2012-08-29T02:32:05Z Indexed on 2012/08/29 3:40 UTC
Read the original article Hit count: 2109

Filed under:

ssl-certificate

|

pci-dss

|

nessus

A client had a PCI scan completed by SecurityMetrics, and it now says they failed due to the SSL certificate for the SMTP port 25 (and POP3s/IMAPS) not matching the domain scanned. Specifically:

Description: SSL Certificate with Wrong Hostname

Synoposis: The SSL certificate for this service is for a different host.

Impact: The commonName (CN) of the SSL certificate presented on this service is for a different machine.

The mail server uses sendmail (patched) and provides email service for a number of domains. The server itself has a valid SSL certificate, but it does not match each domain (as we add/remove domains all the time as clients move around).

Seems SecurityMerics is the only ASV that marks this as failing PCI. Trustwave, McAfee, etc... do not see this as failing PCI.

Is this issue truly a PCI failure? Or is it just SecuritMetrics being wrong?

© Server Fault or respective owner

Related posts about ssl-certificate

import SSL Certificate from IIS to Tomcat

as seen on Server Fault - Search for 'Server Fault'
Can we import the IIS CSR to the java keytool? >>> More
PCI scan failure for SSL Certificate with Wrong Hostname?

as seen on Server Fault - Search for 'Server Fault'
A client had a PCI scan completed by SecurityMetrics, and it now says they failed due to the SSL certificate for the SMTP port 25 (and POP3s/IMAPS) not matching the domain scanned. Specifically: Description: SSL Certificate with Wrong Hostname Synoposis: The SSL certificate for this service is… >>> More
Setting up an SSL Certificate in Apache

as seen on Internet.com - Search for 'Internet.com'
When the HTTP protocol was designed, it was assumed that data transmission would be secure. Times have changed and network security has become much more important to us, especially for certain tasks. Sukrit Dhandhania shows you how to set up Secure Sockets Layer. >>> More
wildcard ssl certificate - exchange 2010 - POP/IMAP problem

as seen on Server Fault - Search for 'Server Fault'
previously we have requested a wildcard ssl certificate from godaddy for our major domain. one of the reasons was the new established exchange server 2010. usually you require following names included in certificiate: FQDN (e.g. mail.whatever.com) Hostname (mail) Domain name (whatever.com) Autodiscover… >>> More
SSL certificate fail apache

as seen on Server Fault - Search for 'Server Fault'
Hello, I have setup a certificate on Apache server. When I access my site's https pages, I see the certificate flashing (in FireFox's url tab) and disappearing immediately. The browser stays in the same windows (https) but now certificate info is not displayed and the connection is not encrypted… >>> More

Related posts about pci-dss

Options for PCI-DSS 11.5 - Deploy file integrity monitoring software

as seen on Server Fault - Search for 'Server Fault'
I'm looking for options to be compliant with PCI-DSS section 11.5 for some servers I manage at the datacenter. There are several servers (less than 20) and they are mostly CentOS5, but there are some RHEL4 and Solaris9 Sparc. I believe Tripwire, Inc. is the leader in this area, but I am looking for… >>> More
Wireless Activity Monitoring for PCI DSS Compliance

as seen on Super User - Search for 'Super User'
In an effort to be PCI DSS compliant, I took a trustkeeper.net questionnaire. I failed the question that asks Is the presence of wireless access points tested for by using a wireless analyzer at least quarterly or by deploying a wireless IDS/IPS to identify all wireless devices in use? (SAQ #11… >>> More
Oracle for PCI-DSS Security Webcast

as seen on Oracle Blogs - Search for 'Oracle Blogs'
Thanks to everyone who attended the Oracle for PCI-DSS security webcast today. It was good to see how the products we talked about last week can be used to address the PCI standard requirements. A big thanks to Chris Pickett for presenting a great session and running us through a very cool demo showing… >>> More
Secure Delete PCI-DSS Windows Environment

as seen on Stack Overflow - Search for 'Stack Overflow'
Hello, I have been reviewing a number of applications for securing deleting files. I understand the concepts of overwriting the file several times with zeros and random characters; however, I don't understand the concept of renaming the file up to thirty times before actually deleting the file. Any… >>> More
PCI/DSS: Data at Rest

as seen on Stack Overflow - Search for 'Stack Overflow'
Would you consider the use of caching products in the category of data at rest? >>> More