PCI scan failure for SSL Certificate with Wrong Hostname?

Posted by Rob Mangiafico on Server Fault See other posts from Server Fault or by Rob Mangiafico
Published on 2012-08-29T02:32:05Z Indexed on 2012/08/29 3:40 UTC
Read the original article Hit count: 2116

Filed under:
|
|

A client had a PCI scan completed by SecurityMetrics, and it now says they failed due to the SSL certificate for the SMTP port 25 (and POP3s/IMAPS) not matching the domain scanned. Specifically:


Description: SSL Certificate with Wrong Hostname

Synoposis: The SSL certificate for this service is for a different host.

Impact: The commonName (CN) of the SSL certificate presented on this service is for a different machine.


The mail server uses sendmail (patched) and provides email service for a number of domains. The server itself has a valid SSL certificate, but it does not match each domain (as we add/remove domains all the time as clients move around).

Seems SecurityMerics is the only ASV that marks this as failing PCI. Trustwave, McAfee, etc... do not see this as failing PCI.

Is this issue truly a PCI failure? Or is it just SecuritMetrics being wrong?

© Server Fault or respective owner

Related posts about ssl-certificate

Related posts about pci-dss