PCI Uyumluluğu için SSL Kontrolleri

PCI testlerinde firmalar genellikle yapılandırılması unutulmuş SSL sunucular yüzünden başarısız çıkmaktadır. PCI açıkca güçlü şifreleme ve algoritma kullanımı istemektedir.[1]

1)PCI tarama sonuçlarının FAIL çıkmasına sebep olan SSL hatalarından ilki sunucu sistemlerin düşük seviyeli SSL protokol desteğidir.

PCI taramalarında SUCCESS almak için sunucu sistemlerin SSLv2 desteğini kaldırmak gerekir.

SSL v2 desteği olup olmadığı aşağıdaki komutla anlaşılabilir.

openssl s_client -ssl2 -connect mail.lifeoverip.net:443

Eğer destekliyorsa  aşağıdaki gibi bir çıktı alırsınız

# openssl s_client -ssl2 -connect mail.lifeoverip.net:443
CONNECTED(00000003)
depth=0 /C=TR/ST=IStanbul/O=Lifeoverip Consultant Services/OU=Security/CN=*.lifeoverip.net/[email protected]
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=TR/ST=IStanbul/O=Lifeoverip Consultant Services/OU=Security/CN=*.lifeoverip.net/[email protected]
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=TR/ST=IStanbul/O=Lifeoverip Consultant Services/OU=Security/CN=*.lifeoverip.net/[email protected]
verify error:num=21:unable to verify the first certificate
verify return:1

Server certificate
—–BEGIN CERTIFICATE—–
MIIC2jCCAkOgAwIBAgICEAEwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVFIx
ETAPBgNVBAgTCElTdGFuYnVsMScwJQYDVQQKEx5MaWZlb3ZlcmlwIENvbnN1bHRh
bnQgU2VydmljZXMwHhcNMDkwODE0MDgzNjEyWhcNMTAwODE0MDgzNjEyWjCBnjEL
MAkGA1UEBhMCVFIxETAPBgNVBAgTCElTdGFuYnVsMScwJQYDVQQKEx5MaWZlb3Zl
cmlwIENvbnN1bHRhbnQgU2VydmljZXMxETAPBgNVBAsTCFNlY3VyaXR5MRkwFwYD
VQQDFBAqLmxpZmVvdmVyaXAubmV0MSUwIwYJKoZIhvcNAQkBFhZodXpleWZlQGxp
ZmVvdmVyaXAubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8433eaY2z
oldD/atJnE/YAxNVw4l/lnql4xRRlMSj6sN5K4pcATnNTCkmfz+RPexPrD5jTnGH
eg5pF+CQunncz4H7GoDKTUyK3PXDpGonpNojiHdOwdI+Pxos1yXlLkhPPPl39xR7
1eUbY8wKh0RI//YI/MgIkIz7SQg7Rtl1RwIDAQABo3sweTAJBgNVHRMEAjAAMCwG
CWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV
HQ4EFgQUM7jCWgiS52RdJeVt9QiomzcKv74wHwYDVR0jBBgwFoAUE/blhkjr5WqK
zLxyKHUNOIkgKEUwDQYJKoZIhvcNAQEFBQADgYEAlrClCM4OwHIVuY+Z1lucHOo7
KO8CV4AZsPipH0rzjKYHAuPJEM4hOeBhjXIpO1wLPEHMbmRtLZOTqjaSCzgWA4/E
kML844DDK2WA6FvK+HMLfMbJrcUJlSD7BWbNTnd2IvStEFNP3xo2GSb5/kPdGSkq
N7zr4BWHycxZuZrLEQI=
—–END CERTIFICATE—–
subject=/C=TR/ST=IStanbul/O=Lifeoverip Consultant Services/OU=Security/CN=*.lifeoverip.net/[email protected]
issuer=/C=TR/ST=IStanbul/O=Lifeoverip Consultant Services

No client certificate CA names sent

Ciphers common between both SSL endpoints:
RC4-MD5         EXP-RC4-MD5     RC2-CBC-MD5
EXP-RC2-CBC-MD5 DES-CBC-MD5     DES-CBC3-MD5

SSL handshake has read 867 bytes and written 236 bytes

New, SSLv2, Cipher is DES-CBC3-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv2
    Cipher    : DES-CBC3-MD5
    Session-ID: 5651A7532DB332322B3548828C9AF587
    Session-ID-ctx:
    Master-Key: CAA483ED155699A74A1CB589D93E5BC46AE96AB55B1C5134
    Key-Arg   : F5C117634219AE91
    Start Time: 1268818051
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)

SSLv2 desteklemiyorsa aşağıdaki gibi çıktı alırsınız.

# openssl s_client -ssl2 -connect www.citibank.com:443
CONNECTED(00000003)
9853:error:1406D0CB:SSL routines:GET_SERVER_HELLO:peer error no cipher:s2_pkt.c:675:
9853:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:

Apache’de SSLv2 desteğini çıkarma

httpd.conf ya da ssl ayarları hangi dosyada tutuluyorsa(genelde ssl.conf) ilgili dosyaya aşağıdaki satırları ekleyip Apache’yi restart etmek yeterli olacaktır.

SSLProtocol -ALL +SSLv3 +TLSv1

Bu komutla sunucunun sadece SSLv3 ve TLSv1 desteklemesini söylüyoruz.
2)PCI Taramalarında FAIL çıkaran SSL’le ilgili diğer konu da zayıf şifreleme algoritmalarının kullanımıdır
Zayıf şifreleme algoritmalarının kullanımı aşağıdaki komutla öğrenilebilir
openssl s_client -connect www.visa.com:443 -cipher LOW:EXP

Eğer sistem zayıf şifreleme algoritmalarını destekliyorsa sonuç aşağıdaki gibi çıkacaktır.

~# openssl s_client -connect www.visa.com:443 -cipher LOW:EXP
CONNECTED(00000003)
depth=0 /C=US/O=Akamai Technologies, Inc./CN=a248.e.akamai.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/O=Akamai Technologies, Inc./CN=a248.e.akamai.net
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/O=Akamai Technologies, Inc./CN=a248.e.akamai.net
verify error:num=21:unable to verify the first certificate
verify return:1

Certificate chain
 0 s:/C=US/O=Akamai Technologies, Inc./CN=a248.e.akamai.net
   i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root

Server certificate
—–BEGIN CERTIFICATE—–
MIIDWjCCAsOgAwIBAgIEBydSYTANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJV
UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds
b2JhbCBSb290MB4XDTA5MTEyNDIwMTQ0N1oXDTEwMTEyNDIwMTMyN1owTTELMAkG
A1UEBhMCVVMxIjAgBgNVBAoTGUFrYW1haSBUZWNobm9sb2dpZXMsIEluYy4xGjAY
BgNVBAMTEWEyNDguZS5ha2FtYWkubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQDtWQuRdxfiWh+tkAt3jM7GO3fjGUczR+z+lJzOXR/N8vO4z/8EdsMAEQxX
rPjucJJVg3mzqjC9e95XJUv8O56N1k61FspmhgFSuCjuYRB9BpH2boFYJexeDidV
fjuUzslfba9WDhZibr/frOLUScTLQbR2ob8fzLaAcylKintkkQIDAQABo4IBHTCC
ARkwCQYDVR0TBAIwADAsBgNVHREEJTAjghFhMjQ4LmUuYWthbWFpLm5ldIIOKi5h
a2FtYWloZC5uZXQwCwYDVR0PBAQDAgUgMIGJBgNVHSMEgYEwf6F5pHcwdTELMAkG
A1UEBhMCVVMxGDAWBgNVBAoTD0dURSBDb3Jwb3JhdGlvbjEnMCUGA1UECxMeR1RF
IEN5YmVyVHJ1c3QgU29sdXRpb25zLCBJbmMuMSMwIQYDVQQDExpHVEUgQ3liZXJU
cnVzdCBHbG9iYWwgUm9vdIICAaUwRQYDVR0fBD4wPDA6oDigNoY0aHR0cDovL3d3
dy5wdWJsaWMtdHJ1c3QuY29tL2NnaS1iaW4vQ1JMLzIwMTgvY2RwLmNybDANBgkq
hkiG9w0BAQUFAAOBgQAKdzAWm4SCZGw3z9gox1Enz6FZCOlHf73HhLNEnkpI4jIJ
dhz1OGm0DJzZJXrmFMZ5StNZqPpXDnbSV5geLHK6pYquRNCmTK/jmrH1Jk6mY1EM
d/osKHfVqwLmQ3xND3K2W/bq5s571hP9IotRODQQftwUzU5W5Qi89Jzt60QLGA==
—–END CERTIFICATE—–
subject=/C=US/O=Akamai Technologies, Inc./CN=a248.e.akamai.net
issuer=/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root

No client certificate CA names sent

SSL handshake has read 1016 bytes and written 275 bytes

New, TLSv1/SSLv3, Cipher is DES-CBC-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DES-CBC-SHA
    Session-ID: D9F96C901688BEFAD153B09E11F8592B71957EE67F7DFF192EDAB2121CDD2205
    Session-ID-ctx:
    Master-Key: E2020445BE3D6F2D72953B88077A6E1CA495FA40E62D2DFA214E367D01D828BBB8F93FA20B874EB37834A80ED41D3C1E
    Key-Arg   : None
    Start Time: 1268818538
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)

Zayıf şifreleme algoritmalarını desteklemeyen bir sunucu aşağıdaki gibi çıktı verecektir.

~# openssl s_client -connect abc.sirket.com.tr:443 -cipher LOW:EXP
CONNECTED(00000003)
9857:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

Apache’de zayıf şifreleme algoritmalarını kapatmak için

httpd.conf ya da ilgili ssl dosyasına aşağıdaki satırlar eklenerek Apache restart edilmelidir.

SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Bilgisayarınızda openssl yüklü değilse burada anlatılan işlemleri clez.net sayfası üzerinden kolaylıkla deneyebilirsiniz.

 

 

 

 Ya da Linux sistemlere sslscan yazılımı kurarak hedef sunucuda hangi zayıf şifreleme algoritmaları kullanılmış belirleyebilirsiniz.

~# sslscan www.citibank.com:443
                   _
           ___ ___| |___  ___ __ _ _ __
          / __/ __| / __|/ __/ _` | ‘_ \
          \__ \__ \ \__ \ (_| (_| | | | |
          |___/___/_|___/\___\__,_|_| |_|

                    Version 1.6
              http://www.titania.co.uk
     Copyright (C) 2007-2008 Ian Ventura-Whiting

Testing SSL server www.citibank.com on port 443

  Supported Server Cipher(s):
    Rejected  SSLv2  168 bits  DES-CBC3-MD5
    Rejected  SSLv2  56 bits   DES-CBC-MD5
    Rejected  SSLv2  40 bits   EXP-RC2-CBC-MD5
    Rejected  SSLv2  128 bits  RC2-CBC-MD5
    Rejected  SSLv2  40 bits   EXP-RC4-MD5
    Rejected  SSLv2  128 bits  RC4-MD5
    Failed    SSLv3  256 bits  ADH-AES256-SHA
    Failed    SSLv3  256 bits  DHE-RSA-AES256-SHA
    Failed    SSLv3  256 bits  DHE-DSS-AES256-SHA
    Failed    SSLv3  256 bits  AES256-SHA
    Failed    SSLv3  128 bits  ADH-AES128-SHA
    Failed    SSLv3  128 bits  DHE-RSA-AES128-SHA
    Failed    SSLv3  128 bits  DHE-DSS-AES128-SHA
    Failed    SSLv3  128 bits  AES128-SHA
    Failed    SSLv3  168 bits  ADH-DES-CBC3-SHA
    Failed    SSLv3  56 bits   ADH-DES-CBC-SHA
    Failed    SSLv3  40 bits   EXP-ADH-DES-CBC-SHA
    Failed    SSLv3  128 bits  ADH-RC4-MD5
    Failed    SSLv3  40 bits   EXP-ADH-RC4-MD5
    Failed    SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
    Failed    SSLv3  56 bits   EDH-RSA-DES-CBC-SHA
    Failed    SSLv3  40 bits   EXP-EDH-RSA-DES-CBC-SHA
    Failed    SSLv3  168 bits  EDH-DSS-DES-CBC3-SHA
    Failed    SSLv3  56 bits   EDH-DSS-DES-CBC-SHA
    Failed    SSLv3  40 bits   EXP-EDH-DSS-DES-CBC-SHA
    Accepted  SSLv3  168 bits  DES-CBC3-SHA
    Accepted  SSLv3  56 bits   DES-CBC-SHA

    Failed    SSLv3  40 bits   EXP-DES-CBC-SHA
    Failed    SSLv3  40 bits   EXP-RC2-CBC-MD5
    Failed    SSLv3  128 bits  RC4-SHA
    Accepted  SSLv3  128 bits  RC4-MD5
    Failed    SSLv3  40 bits   EXP-RC4-MD5
    Failed    SSLv3  0 bits    NULL-SHA
    Failed    SSLv3  0 bits    NULL-MD5
    Rejected  TLSv1  256 bits  ADH-AES256-SHA
    Rejected  TLSv1  256 bits  DHE-RSA-AES256-SHA
    Rejected  TLSv1  256 bits  DHE-DSS-AES256-SHA
    Rejected  TLSv1  256 bits  AES256-SHA
    Rejected  TLSv1  128 bits  ADH-AES128-SHA
    Rejected  TLSv1  128 bits  DHE-RSA-AES128-SHA
    Rejected  TLSv1  128 bits  DHE-DSS-AES128-SHA
    Rejected  TLSv1  128 bits  AES128-SHA
    Rejected  TLSv1  168 bits  ADH-DES-CBC3-SHA
    Rejected  TLSv1  56 bits   ADH-DES-CBC-SHA
    Rejected  TLSv1  40 bits   EXP-ADH-DES-CBC-SHA
    Rejected  TLSv1  128 bits  ADH-RC4-MD5
    Rejected  TLSv1  40 bits   EXP-ADH-RC4-MD5
    Rejected  TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
    Rejected  TLSv1  56 bits   EDH-RSA-DES-CBC-SHA
    Rejected  TLSv1  40 bits   EXP-EDH-RSA-DES-CBC-SHA
    Rejected  TLSv1  168 bits  EDH-DSS-DES-CBC3-SHA
    Rejected  TLSv1  56 bits   EDH-DSS-DES-CBC-SHA
    Rejected  TLSv1  40 bits   EXP-EDH-DSS-DES-CBC-SHA
    Accepted  TLSv1  168 bits  DES-CBC3-SHA
    Accepted  TLSv1  56 bits   DES-CBC-SHA

    Rejected  TLSv1  40 bits   EXP-DES-CBC-SHA
    Rejected  TLSv1  40 bits   EXP-RC2-CBC-MD5
    Rejected  TLSv1  128 bits  RC4-SHA
    Accepted  TLSv1  128 bits  RC4-MD5
    Rejected  TLSv1  40 bits   EXP-RC4-MD5
    Rejected  TLSv1  0 bits    NULL-SHA
    Rejected  TLSv1  0 bits    NULL-MD5

  Prefered Server Cipher(s):
    SSLv3  128 bits  RC4-MD5
    TLSv1  128 bits  RC4-MD5

  SSL Certificate:
    Version: 2
    Serial Number: -4294967295
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
    Not valid before: Jun 17 00:00:00 2009 GMT
    Not valid after: Jun 17 23:59:59 2011 GMT
    Subject: /1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/2.5.4.15=V1.0, Clause 5.(b)/serialNumber=2154254/C=US/postalCode=10043/ST=New York/L=New York/streetAddress=399 Park Avenue/O=Citigroup Inc./OU=swcbweb5-www/CN=www.citibank.com
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (2048 bit)
      Modulus (2048 bit):
          00:c8:4a:cf:15:2e:60:3b:07:ca:02:7b:6a:dc:4d:
          de:1c:6d:10:8b:23:99:3e:e5:91:06:17:16:1e:2b:
          1d:7e:28:ab:30:3c:be:67:50:2f:4e:78:c8:6c:f3:
          bf:36:5b:a9:41:43:5e:cc:e1:4a:c4:40:2f:6e:4e:
          a8:d9:8d:1f:10:bd:f0:28:ef:49:b2:b8:db:8c:90:
          f5:08:49:b6:f8:9c:53:5b:69:cf:78:bf:de:e3:e1:
          8f:2d:2b:9a:0c:e6:8b:d2:61:8f:55:ab:15:04:c5:
          fa:35:66:22:3b:cd:bf:f6:f0:51:2c:6f:b4:6f:ab:
          03:6c:10:ca:18:53:da:e8:b8:ec:b0:49:85:73:79:
          48:a9:a6:f3:44:db:28:62:aa:b7:f0:cd:67:2a:eb:
          d3:53:f3:83:55:b3:85:5d:52:71:5d:a2:96:b2:7e:
          88:f5:c1:ef:40:07:4e:4d:91:2b:8c:14:3e:dd:76:
          91:fe:a9:97:fa:52:01:5a:43:10:c2:27:c5:75:fe:
          6a:03:53:d8:42:f5:67:f1:82:99:3e:48:a2:e1:da:
          45:c4:1b:7e:f4:71:b6:5c:4e:d7:b0:5c:86:60:2e:
          e4:07:83:a4:99:8f:68:f5:e6:8c:6d:d2:37:ba:fb:
          db:a5:ea:28:07:d9:eb:ce:43:10:1b:35:34:01:0d:
          b8:9f
      Exponent: 65537 (0x10001)
    X509v3 Extensions:
      X509v3 Basic Constraints:
        CA:FALSE
      X509v3 Subject Key Identifier:
        D3:DD:0C:1D:B5:42:E5:83:2A:2C:67:60:EE:C9:21:C8:19:D5:64:6D
      X509v3 Key Usage:
        Digital Signature, Key Encipherment
      X509v3 CRL Distribution Points:
        URI:http://EVIntl-crl.verisign.com/EVIntl2006.crl

      X509v3 Certificate Policies:
        Policy: 2.16.840.1.113733.1.7.23.6
          CPS: https://www.verisign.com/rpa

      X509v3 Extended Key Usage:
        TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto
      X509v3 Authority Key Identifier:
        keyid:4E:43:C8:1D:76:EF:37:53:7A:4F:F2:58:6F:94:F3:38:E2:D5:BD:DF

      Authority Information Access:
        OCSP – URI:http://EVIntl-ocsp.verisign.com
        CA Issuers – URI:http://EVIntl-aia.verisign.com/EVIntl2006.cer

      1.3.6.1.5.5.7.1.12:
        0`.^.\0Z0X0V..image/gif0!0.0…+……Kk.(…..R8.).K..!..0&.$http://logo.verisign.com/vslogo1.gif
  Verify Certificate:
    self signed certificate in certificate chain

 

[PCI-DSS] 4.1 Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.

Examples of open, public networks that are in scope of the PCI DSS are:

    * The Internet,
    * Wireless technologies,
    * Global System for Mobile communications (GSM), and
    * General Packet Radio Service (GPRS).

4.1.a Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks

    * Verify that strong encryption is used during data transmission
    * For SSL implementations:
          o Verify that the server supports the latest patched versions.
          o Verify that HTTPS appears as a part of the browser Universal Record Locator (URL).
          o Verify that no cardholder data is required when HTTPS does not appear in the URL.
    * Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit.
    * Verify that only trusted SSL/TLS keys/certificates are
    * Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.)

This entry was posted in System Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

eleven − 1 =