Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Ciphers
#11
(05-21-2020, 12:38 AM)zsleo Wrote: One of my web apps is being PCI certified.

1. How do I restrict ciphers from being used?

For example, I want to disallow ciphers
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
.. and others

2. I have an auditor querying if we can prevent ECDH public server param reuse

Is this possible and if so how.


TIA


Regarding the ciphers in Http.sys I recommend you to use some tool like the one mentioned by JSP, above. The GUI version is really simple and easy to use.
Reply
#12
Do you know the virtualization software that is being used?

Our SSE 4.2 detection code is correct. Very likely your VM software is returning wrong results due to a cpuid instruction call....

Can you run this on it and see what you get? https://docs.microsoft.com/en-us/sysinte...s/coreinfo
Reply
#13
I will use that tool but it is a production server so we can only reboot it after 2 AM tomorrow.

I will report back.

I have a test server that is a Xeon 5160. Does Xeon 5160 support the algorithm?
Reply
#14
The CoreInfo tool doesn't need reboot. It is just something which retrieves the CPU information as reported by the VM. I just want you to execute it once, and grab that information so we can analyze it
Reply
#15
Just ran the app up on a win server 2019 in Azure and it works very nicely.
Reply
#16
Nice! I'm still interested to know the reason of that SSE 4.2 detection failure. As I mentioned, the detection code is in accordance with Intel recommendations, so I suspect that it was caused by the virtualization software.
Reply
#17
In IW 15.2.0 released today, there is a new variable which allows you to bypass the SSE 4.2 compatibility check.

In your DPR File, before running your application just set

Example:


Code:
begin
  IWZLibExAPI.IgnoreSSE42Check := True;
  TIWStart.Execute(True);
end.



This will allow SSE 4.2 compression to be used regardless of the status obtained via cpuid instruction. You can use it when you are certain that SSE 4.2 is supported.
Reply
#18
Thanks, Alexandre.

I am still waiting, because it is a PCI controlled environment, for approval to install and run then Core Info on the box.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)