PCI: New agent bundle to support additional defaults in cipher_list eg ECDHE-RSA-AES128-GCM-SHA256

PCI: New agent bundle to support additional defaults in cipher_list eg ECDHE-RSA-AES128-GCM-SHA256

0 Votes

Until we have a method to specify the cipherlist at agent install time, please provide an new 10.51 agent bundle that includes at least some of the ciphers listed below in the default agent cipherlist. The reason for this is in order to pass PCI audits. We know how to change the agent after it’s installed, but if we change the Satellites and Cores to ONLY support the PCI compliant ciphers, new agent installations will fail.

 

Here are the vulnerabilities that are exposed in the PCI audit:

 

Vulnerability Title

Vulnerability Description

Vulnerability Solution

TLS/SSL Server Supports The Use of Static Key Ciphers

The server is configured to support ciphers known as static key ciphers. These ciphers don't support "Forward Secrecy". In the new specification for HTTP/2, these ciphers have been blacklisted.

Disable TLS/SSL support for static key cipher suites Configure the server to disable support for static key cipher suites. For Microsoft IIS web servers, see Microsoft Knowledgebase article  245030 (http://support.microsoft.com/kb/245030/)  for instructions on disabling static key cipher suites. The following recommended configuration provides a higher level of security. This configuration is compatible with Firefox 27, Chrome 22, IE 11, Opera 14 and Safari 7. SSLv2, SSLv3, and TLSv1 protocols are not recommended in this configuration. Instead, use TLSv1.1 and TLSv1.2 protocols. Refer to your server vendor documentation to apply the recommended cipher configuration: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

TLS/SSL Server Does Not Support Any Strong Cipher Algorithms

The server is not configured with support for any modern, secure ciphers and only supports ciphers known to be weak against attack.

Enable TLS/SSL support for strong ciphers Enable support for at least one of the ciphers listed below: * TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 * TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 * TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 * TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 * TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 * TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 * TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

 

 

We are already planning to upgrade to 2018.08, but that is a multi-day outage that will not occur soon enough to satisfy PCI requirements

 

Tags (1)
2 Comments
Micro Focus Expert
Micro Focus Expert
Status changed to: Accepted
 
Micro Focus Expert
Micro Focus Expert
Status changed to: Delivered

These cipher are supported with the most recent agent bundles delivered with patch rollups.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.