Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Silver

PCI scan on the firewall

We got the below alert when we ran the PCI scan on our VPN firewall (use it for remote access VPN), did anyone come across this?

OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Ciphersuite Disabled Cipher Issue

Solution-

Upgrade to OpenSSL 0.9.8j or later.

ASA 5510 running  8.2(2)

Siddhartha       

Siddhartha
6 REPLIES
Hall of Fame Super Silver

PCI scan on the firewall

I have seen a similar issue reported by an external auditor when for the ASA firewall, the "medium" and "weak" SSL ciphers were reported as supported. You can harden the ASA with the setting:

     ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 rc4-md5

...applied from the command line.  The ciphers listed in that command are all "strong" and should result in the scan being successful. This should not impact any clients running anything like a modern browser.

You can find the equivalent commands in ASDM under “Configuration, Remote Access VPN, Advanced, SSL Settings”. Just make the menu picks so that only the above-listed algorithms are in the “Active Algorithms” list.

Silver

PCI scan on the firewall

Thanks Marvin, Will make the change and see if it resolves the issue.

Siddhartha

Siddhartha
Silver

PCI scan on the firewall

Marvin,

I removed that SSL cipher and ran the scan again but still getting the error, below is the output from my ASA.

any other work around?

vpn# sh run all ssl

ssl server-version any

ssl client-version any

ssl encryption aes256-sha1 aes128-sha1 3des-sha1

ssl trust-point ASDM_TrustPoint1 outside

Siddhartha

Siddhartha
Silver

PCI scan on the firewall

Anyone...?

Siddhartha

Siddhartha

PCI scan on the firewall

Hi Siddhartham,

I think Marvin is correct in his explaination, the change in accepted Cipher suites should fix the problem. I think you have to contact the PCI scan company about a False-Positive, the Bug mentioned by them works by switching to lower cipher suite in the middle of the connection but since you are not supporting any medium or lower security ciphers it should affect you.

here's a good read on this security violation :-

http://www.openssl.org/news/secadv_20101202.txt

Also, you might be able to get rid of this issue completely by updating to lastest code running on your ASA from Cisco which might be build on newer version of open_ssl.

Thanks

Manish

Silver

PCI scan on the firewall

Thanks guys. Upgrading the firewall to 8.4.3 resolved the issue.

Siddhartha

Siddhartha
1077
Views
8
Helpful
6
Replies