Until we have a method to specify the cipherlist at agent install time, please provide an new 10.51 agent bundle that includes at least some of the ciphers listed below in the default agent cipherlist. The reason for this is in order to pass PCI audits. We know how to change the agent after it’s installed, but if we change the Satellites and Cores to ONLY support the PCI compliant ciphers, new agent installations will fail.
Here are the vulnerabilities that are exposed in the PCI audit:
TLS/SSL Server Supports The Use of Static Key Ciphers
The server is configured to support ciphers known as static key ciphers. These ciphers don't support "Forward Secrecy". In the new specification for HTTP/2, these ciphers have been blacklisted.
Disable TLS/SSL support for static key cipher suites Configure the server to disable support for static key cipher suites. For Microsoft IIS web servers, see Microsoft Knowledgebase article 245030 (http://support.microsoft.com/kb/245030/) for instructions on disabling static key cipher suites. The following recommended configuration provides a higher level of security. This configuration is compatible with Firefox 27, Chrome 22, IE 11, Opera 14 and Safari 7. SSLv2, SSLv3, and TLSv1 protocols are not recommended in this configuration. Instead, use TLSv1.1 and TLSv1.2 protocols. Refer to your server vendor documentation to apply the recommended cipher configuration: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
TLS/SSL Server Does Not Support Any Strong Cipher Algorithms
The server is not configured with support for any modern, secure ciphers and only supports ciphers known to be weak against attack.
Enable TLS/SSL support for strong ciphers Enable support for at least one of the ciphers listed below: * TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 * TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 * TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 * TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 * TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 * TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 * TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
We are already planning to upgrade to 2018.08, but that is a multi-day outage that will not occur soon enough to satisfy PCI requirements
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.