The remote service supports the use of medium strength SSL ciphers errors in PCI scan

Question

I received this error when my server was scanned for PCI compliance. I was wondering if it may be because I shut off iptables. I do not want to ask them to scan it again until I am sure that it will pass. My first question is, is there any way to scan for this myself? My other question is, does iptables being turned off the actual problem?

Below are just a few errors I am getting:

• TCP 443 https - The remote service supports the use of weak SSL ciphers
• TCP 465 urd - The remote service accepts connections encrypted using SSL 2.0
• TCP 993 imaps - The remote services encrypts traffic using a protocol with known weaknesses
• TCP 995 pop3s - The remote service accepts connections encrypted using SSL 2.0

Thanks for your time.

Answer 1

The errors are not specifically anything to do with iptables - they are indicating that the highlighted services are configured to support SSL in a weak or insecure manner.

However, if you do not intend to provide mail services to the outside world, then you should be disabling the SMTPS, IMAPS and POP3S services running on ports 465, 993 and 995 respectively (or blocking them with iptables).

In addition, presuming that you do intend to provide HTTPS services, you will need to fix the SSL configuration of the web server that you have listening. You will want to configure it to support only TLS 1.0 connections, and only strong ciphers. For help with this, ServerFault is the right site.