This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ASG 220 - 7.511 - Vulnerability Scan - PCI Compliance

As part of our migration to a new credit card processing service - the vendor required a Vulnerability Scan to be run against our firewall (ASG 220 - 7.511).

The ASG almost escaped unscathed - other than an issue with SSLv2 (tcp/3400). Apparently our ASG220 accepted a SSLv2 connection. SSLv2 has some known "cryptographic weaknesses" that make it no PCI compliant. Obviously this is an old protocol...

Not sure if this is configurable - or has been resolved in newer firmware/updates (we tend to lag a bit behind the "bleeding edge" on updates).

A secondary issue also was flagged - in that the "System Responds to SYN+FIN TCP Packets"...

Any thoughts or suggestions.

This thread was automatically locked due to age.

Parents

0 BarryG over 13 years ago

I just tested my 7.509 system and get the following:

openssl s_client -connect fw2:4444 -ssl2
CONNECTED(00000003)
139955402442568:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:430:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 45 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1347489029
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

openssl s_client -connect fw2:443 -ssl2
CONNECTED(00000003)
140329520252744:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:430:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 45 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1347489147
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

I think SSLv2 is already disabled.

Barry
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BarryG over 13 years ago

I just tested my 7.509 system and get the following:

openssl s_client -connect fw2:4444 -ssl2
CONNECTED(00000003)
139955402442568:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:430:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 45 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1347489029
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

openssl s_client -connect fw2:443 -ssl2
CONNECTED(00000003)
140329520252744:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:430:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 45 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1347489147
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

I think SSLv2 is already disabled.

Barry
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data