Remediation for SSL/TLS Recommended Cipher Suites (PCI DSS) Finding

SSL/TLS Recommended Cipher Suites (PCI DSS) Vulnerability

Severity : MEDIUM

Tenable PLUGIN ID: 159543

 

Background

Our vulnerbaility scan found this issue. Some ssl/tls ports are using unsecure cipher suites such as: 

• ECDHE-RSA-AES256-SHA
• ECDHE-RSA-AES256-SHA384

Description

The remote host has open SSL/TLS ports which advertise discouraged cipher suites. It is recommended to only enable support for the following cipher suites: TLSv1.3: - 0x13,0x01 TLS13_AES_128_GCM_SHA256 - 0x13,0x02 TLS13_AES_256_GCM_SHA384 - 0x13,0x03 TLS13_CHACHA20_POLY1305_SHA256 TLSv1.2: - 0xC0,0x2B ECDHE-ECDSA-AES128-GCM-SHA256 - 0xC0,0x2F ECDHE-RSA-AES128-GCM-SHA256 - 0xC0,0x2C ECDHE-ECDSA-AES256-GCM-SHA384 - 0xC0,0x30 ECDHE-RSA-AES256-GCM-SHA384 - 0xCC,0xA9 ECDHE-ECDSA-CHACHA20-POLY1305 - 0xCC,0xA8 ECDHE-RSA-CHACHA20-POLY1305 - 0xCC,0xAA DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 This is the recommended configuration for the vast majority of services, as it is highly secure and compatible with nearly every client released in the last five (or more) years.

Solution

Only enable support for recommended cipher suites.

See Also

https://wiki.mozilla.org/Security/Server_Side_TLS
https://ssl-config.mozilla.org/
https://ciphersuite.info/page/faq/
https://ciphersuite.info/cs/TLS_DHE_RSA_WITH_AES_128_GCM_SHA256/
https://ciphersuite.info/cs/TLS_DHE_RSA_WITH_AES_256_GCM_SHA384/

Tenable Scan Finding

The remote host has listening SSL/TLS ports which advertise the discouraged cipher suites outlined below: High Strength Ciphers (>= 112-bit key) Name Code KEX Auth Encryption MAC ---------------------- ---------- --- ---- --------------------- --- ECDHE-RSA-AES256-SHA 0xC0, 0x14 ECDH RSA AES-CBC(256) SHA1 ECDHE-RSA-AES256-SHA384 0xC0, 0x28 ECDH RSA AES-CBC(256) SHA384 The fields above are : {Tenable ciphername} {Cipher ID code} Kex={key exchange} Auth={authentication} Encrypt={symmetric encryption method} MAC={message authentication code} {export flag}

Verification

 

Find the cipher using Chrome

1. Launch Chrome.
2. Enter the URL you wish to check in the browser.
3. Click on the ellipsis located on the top-right in the browser.
4. Select More tools > Developer tools > Security.
5. Look for the line "Connection...". This will describe the version of TLS or SSL used.

Testing Using Free Online Services    

 

https://hackertarget.com/ssl-check/

Remediation

Since it is Nginx service. Here is the remediation configuraiton for this issue happening on port 443. 

server {
    listen       443 default_server ssl;            # 该 server 监听的地址（必填）
                ssl_certificate /usr/local/nginx/conf/ssl/*.cer;
                ssl_certificate_key  /usr/local/nginx/conf/ssl/*key;
                ssl_session_timeout 5m;
                ssl_protocols TLSv1.2 TLSv1.3;
                ssl_ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305;
                ssl_prefer_server_ciphers on;
                ssl_session_cache shared:SSL:20m;

 

    # 返回 403 Forbidden
                location / {
                        return 403;
                }
}

 

server {
    listen 80 default;

 

    return 301 https://$host$request_uri;
}

References

• https://www.ssllabs.com/ssltest/