Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Ciphers
#1
One of my web apps is being PCI certified.

1. How do I restrict ciphers from being used?

For example, I want to disallow ciphers
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
.. and others

2. I have an auditor querying if we can prevent ECDH public server param reuse

Is this possible and if so how.


TIA
Reply
#2
For which deployment method? The answer varies depending on of its IIS, SA, etc
Reply
#3
(05-21-2020, 04:40 PM)kudzu Wrote: For which deployment method? The answer varies depending on of its IIS, SA, etc
It is IIS on a Win 2016 Server
Reply
#4
For Win Server i use this software to handle configs:
https://www.nartac.com/Products/IISCrypto/Download
Reply
#5
For IIS all SSL configurations are handled by IIS, so this is an IIS question. Please check the tool Jose posted to see if it will assist you.

ECDH public server param is also an IIS setting.

Neither of these when deployed via IIS are provided by IntraWeb itself.
Reply
#6
(05-22-2020, 05:55 PM)kudzu Wrote: For IIS all SSL configurations are handled by IIS, so this is an IIS question. Please check the tool Jose posted to see if it will assist you.

ECDH public server param is also an IIS setting.

Neither of these when deployed via IIS are provided by IntraWeb itself.
Thanks to both of you
Reply
#7
I tried running the same application as HSYS standalone and the log file is reporting
"Http compression has been disabled: SSE 4.2 is required for ZLib compression however this processor does not support SSL 4.2."

Help will be appreciated...
Reply
#8
HSYS standalone? Those are 2 separate things. HTTP.sys or standalone?

What CPU is causing the issue?
Reply
#9
(10 hours ago)kudzu Wrote: HSYS standalone? Those are 2 separate things. HTTP.sys or standalone?

What CPU is causing the issue?
... HSYS exe ...

If you mean CPU of the server, it is E5649 in an HS22 blade. Also, this is happening with both 32 bit and 64 bit builds
Reply
#10
(Yesterday, 01:52 AM)zsleo Wrote: I tried running the same application as HSYS standalone and the log file is reporting
"Http compression has been disabled: SSE 4.2 is required for ZLib compression however this processor does not support SSL 4.2."

Help will be appreciated...

This processor supports SSE 4.2 but somehow our code to detect it is failing.

I'll investigate this and get back to you
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)