PCI scan findings and problems with week ciphers on ports 993,443,995,465
- by user64991
From PCI scan results:
Synops is : The remote service encrypts traffic using a protocol with known
weaknesses . Description : The remote service accepts connections encrypted
using SSL 2.0, which reportedly suffers from several cryptographic flaws and has
been deprecated for several years. An attacker may be able to exploit these issues
to conduct man-in-the-middle attacks or decrypt communications between the
affected service and clients . See also : http://www.schneier.com/paper-ssl.pdf
Solution: Consult the application's documentation to disable SSL 2.0 and use SSL
3.0 or TLS 1.0 instead. Risk Factor: Medium / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)
I have tried to change
SSLProtocol all -SSLv2
to
SSLProtocol -ALL +SSLv3 +TLSv1
And
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
To
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT
But using SSLdigger, it shows the same result. Is this the right way to do something like this?