{"id":416,"date":"2015-04-21T09:05:35","date_gmt":"2015-04-21T14:05:35","guid":{"rendered":"http:\/\/www.rajatswarup.com\/blog\/?p=416"},"modified":"2015-04-21T09:05:35","modified_gmt":"2015-04-21T14:05:35","slug":"pci-ssc-forbids-ssl-and-early-tls","status":"publish","type":"post","link":"https:\/\/www.rajatswarup.com\/blog\/2015\/04\/21\/pci-ssc-forbids-ssl-and-early-tls\/","title":{"rendered":"PCI SSC Forbids SSL and “Early TLS”"},"content":{"rendered":"

On April 15, 2015 the PCI SSC released <\/a>the PCI DSS v3.1<\/a>.\u00a0 The main cause for concern for most merchants and other entities (called “entities” hereonforth) that store, transmit and process cardholder data is the prohibition of using SSL and “Early TLS”.\u00a0 The PCI SSC also released a supplement <\/a>to assist entities in mitigating the issue.\u00a0\u00a0 The supplement references the NIST guideline SP800-52 rev1<\/a> for determining which are good ciphers and which are not.<\/p>\n

The key point being what does “Early TLS” mean?\u00a0 Does it mean TLSv1.0 and <\/strong>TLSv1.1 OR does it mean only TLSv1.0?\u00a0 Are the entities supposed to disable all ciphers except anything that’s TLSv1.2?<\/p>\n

Answer is (in consultant speak) “it depends”. \ud83d\ude42<\/p>\n

TLSv1.1 does theoretically have ciphers that are not ideal.\u00a0 Example: CBC mode ciphers that are TLSv1.1 but there may be a potential for attacks on them given that in the past couple of years CBC has fallen multiple times (BEAST, POODLE).<\/p>\n

Google Chrome lists the use of CBC-based ciphers (despite the fact that they’re TLSv1.1) to be obsolete.\u00a0 Google Chrome essentially makes “obsolete cryptography” a function of using TLS v1.2-based ciphers<\/a>.<\/p>\n

\"Untitled2\"<\/a><\/p>\n

Firefox allows the configuration of disabling TLSv1.0 and that can be done by typing “about:config” in the address bar.\u00a0 The security.tls.version.min = 0 (means SSLv3), 1 (means TLSv1.0), 2 (means TLSv1.1) and 3 (means TLSv1.2).\u00a0 The following screenshot shows the configuration snapshot (here the lowest allowed version is TLSv1.0).<\/p>\n

\"Untitled3\"<\/a><\/p>\n

Let’s start with what is definitely<\/em> ok for PCI:<\/p>\n

https:\/\/www.openssl.org\/docs\/apps\/ciphers.html#TLS-v1.2-cipher-suites<\/p>\n

 TLS_RSA_WITH_NULL_SHA256                  NULL-SHA256\r\n TLS_RSA_WITH_AES_128_CBC_SHA256           AES128-SHA256\r\n TLS_RSA_WITH_AES_256_CBC_SHA256           AES256-SHA256\r\n TLS_RSA_WITH_AES_128_GCM_SHA256           AES128-GCM-SHA256\r\n TLS_RSA_WITH_AES_256_GCM_SHA384           AES256-GCM-SHA384\r\n\r\n TLS_DH_RSA_WITH_AES_128_CBC_SHA256        DH-RSA-AES128-SHA256\r\n TLS_DH_RSA_WITH_AES_256_CBC_SHA256        DH-RSA-AES256-SHA256\r\n TLS_DH_RSA_WITH_AES_128_GCM_SHA256        DH-RSA-AES128-GCM-SHA256\r\n TLS_DH_RSA_WITH_AES_256_GCM_SHA384        DH-RSA-AES256-GCM-SHA384\r\n\r\n TLS_DH_DSS_WITH_AES_128_CBC_SHA256        DH-DSS-AES128-SHA256\r\n TLS_DH_DSS_WITH_AES_256_CBC_SHA256        DH-DSS-AES256-SHA256\r\n TLS_DH_DSS_WITH_AES_128_GCM_SHA256        DH-DSS-AES128-GCM-SHA256\r\n TLS_DH_DSS_WITH_AES_256_GCM_SHA384        DH-DSS-AES256-GCM-SHA384\r\n\r\n TLS_DHE_RSA_WITH_AES_128_CBC_SHA256       DHE-RSA-AES128-SHA256\r\n TLS_DHE_RSA_WITH_AES_256_CBC_SHA256       DHE-RSA-AES256-SHA256\r\n TLS_DHE_RSA_WITH_AES_128_GCM_SHA256       DHE-RSA-AES128-GCM-SHA256\r\n TLS_DHE_RSA_WITH_AES_256_GCM_SHA384       DHE-RSA-AES256-GCM-SHA384\r\n\r\n TLS_DHE_DSS_WITH_AES_128_CBC_SHA256       DHE-DSS-AES128-SHA256\r\n TLS_DHE_DSS_WITH_AES_256_CBC_SHA256       DHE-DSS-AES256-SHA256\r\n TLS_DHE_DSS_WITH_AES_128_GCM_SHA256       DHE-DSS-AES128-GCM-SHA256\r\n TLS_DHE_DSS_WITH_AES_256_GCM_SHA384       DHE-DSS-AES256-GCM-SHA384\r\n\r\n TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256      ECDH-RSA-AES128-SHA256\r\n TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384      ECDH-RSA-AES256-SHA384\r\n TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256      ECDH-RSA-AES128-GCM-SHA256\r\n TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384      ECDH-RSA-AES256-GCM-SHA384\r\n\r\n TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256    ECDH-ECDSA-AES128-SHA256\r\n TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384    ECDH-ECDSA-AES256-SHA384\r\n TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256    ECDH-ECDSA-AES128-GCM-SHA256\r\n TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384    ECDH-ECDSA-AES256-GCM-SHA384\r\n\r\n TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256     ECDHE-RSA-AES128-SHA256\r\n TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384     ECDHE-RSA-AES256-SHA384\r\n TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256     ECDHE-RSA-AES128-GCM-SHA256\r\n TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384     ECDHE-RSA-AES256-GCM-SHA384\r\n\r\n TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256   ECDHE-ECDSA-AES128-SHA256\r\n TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384   ECDHE-ECDSA-AES256-SHA384\r\n TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256   ECDHE-ECDSA-AES128-GCM-SHA256\r\n TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384   ECDHE-ECDSA-AES256-GCM-SHA384\r\n\r\n TLS_DH_anon_WITH_AES_128_CBC_SHA256       ADH-AES128-SHA256\r\n TLS_DH_anon_WITH_AES_256_CBC_SHA256       ADH-AES256-SHA256\r\n TLS_DH_anon_WITH_AES_128_GCM_SHA256       ADH-AES128-GCM-SHA256\r\n TLS_DH_anon_WITH_AES_256_GCM_SHA384       ADH-AES256-GCM-SHA384<\/code><\/pre>\n
 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 ECDHE-ECDSA-CAMELLIA128-SHA256\r\n TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 ECDHE-ECDSA-CAMELLIA256-SHA384\r\n TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256  ECDH-ECDSA-CAMELLIA128-SHA256\r\n TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384  ECDH-ECDSA-CAMELLIA256-SHA384\r\n TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256   ECDHE-RSA-CAMELLIA128-SHA256\r\n TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384   ECDHE-RSA-CAMELLIA256-SHA384\r\n TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256    ECDH-RSA-CAMELLIA128-SHA256\r\n TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384    ECDH-RSA-CAMELLIA256-SHA384\r\n<\/code><\/pre>\n
Now let’s see what may potentially be good from TLSv1.1 perspective (from NIST SP8000-52 rev1):<\/p>\n
TLS_RSA_WITH_3DES_EDE_CBC_SHA           DES-CBC3-SHA\r\nTLS_RSA_WITH_AES_128_CBC_SHA            AES128-SHA<\/code><\/pre>\n
Here’s a problem though per OpenSSL man page:
\n\"Untitled\"<\/a><\/p>\n
If you’re using OpenSSL, how do you ensure that the browser is not negotiating the vulnerable TLSv1.0 ciphers? The only real answer seems to be by providing a cipher order for negotiation and hoping the client doesn’t cheat<\/em>.\u00a0 Most likely, the browser will negotiate a better cipher when it exists in the server and on the client and you’d avert the possibility of negotiation of a bad cipher.<\/p>\n
According to experts, anything that uses CBC is inherently broken<\/a>.\u00a0 But disabling TLSv1.0 may make the server inaccessible to various older Android devices.\u00a0 Also, if you’re using older Java Development Kits (JDK7 and below), do remember that the default ciphers may not hit the spot for PCI<\/a>.<\/p>\n
There’s an excellent site<\/a> to help you configure each type of the server so you could become PCI compliant. This is an excellent site by Ivan Ristic<\/a> to test your Internet-facing servers for configuration of SSL\/TLS encryption.<\/p>\n
In conclusion, configure browsers to minimally allow TLSv1.1 and configure servers to use TLSv1.2 to be PCI DSS compliant.\u00a0 The road to TLSv1.1 compatibility and PCI DSS is filled with potholes and death-falls so do it at your own risk.<\/p>\n","protected":false},"excerpt":{"rendered":"
On April 15, 2015 the PCI SSC released the PCI DSS v3.1.\u00a0 The main cause for concern for most merchants and other entities (called “entities” hereonforth) that store, transmit and process cardholder data is the prohibition of using SSL and “Early TLS”.\u00a0 The PCI SSC also released a supplement to assist entities in mitigating the […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[195,230],"tags":[],"class_list":["post-416","post","type-post","status-publish","format-standard","hentry","category-crypto","category-howto"],"_links":{"self":[{"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/posts\/416","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/comments?post=416"}],"version-history":[{"count":7,"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/posts\/416\/revisions"}],"predecessor-version":[{"id":427,"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/posts\/416\/revisions\/427"}],"wp:attachment":[{"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/media?parent=416"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/categories?post=416"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/tags?post=416"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}