Trustwave failing PCI compliance SSL/TLS Weak Encryption Algorithms on Port 443

[GregWilliamBryant]

Trustwave failing PCI compliance SSL/TLS Weak Encryption Algorithms on Port 443 even though SSLCipherSuite disables them.


I’ve search a number of posts on this topic but have been unable to find a solution to my problem.


I am currently failing PCI compliance on:


SSL/TLS Weak Encryption Algorithms:

Evidence:

TLSv1_2 : AECDH-DES-CBC3-SHA

TLSv1_2 : AECDH-AES128-SHA

TLSv1_2 : AECDH-AES256-SHA


And

Block cipher algorithms with block size of 64 bits (like DES and 3DES) birthday attack known as Sweet32:

Evidence:

TLSv1_2 : ECDHE-RSA-DES-CBC3-SHA

TLSv1_2 : AECDH-DES-CBC3-SHA

TLSv1_2 : DES-CBC3-SHA

Although I have my SSL Cipher Suite to disable these Algorithms:

SSL Cipher Suite [?]

HIGH:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!ECDHE-RSA-DES-CBC3-SHA:!AECDH-DES-CBC3-SHA:!DES-CBC3-SHA:!AECDH-AES256-SHA:!AECDH-AES128-SHA:!AECDH-DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!SSLv2:!SSLv3

SSL/TLS Protocols [?]

All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1


Have I miss interpreted something? Help is appreciated and welcomed!

 

[cPanelMichael]

Hello @GregWilliamBryant,

Can you go through the steps we document at the link below to rule out any duplicate/old entries in your Apache configuration as the cause of the issue?

How to Troubleshoot PCI Compliance Scans - cPanel Knowledge Base - cPanel Documentation

Thank you.

 

[rulerofzu]

I had this come up on my PCI scans this month. The scanning company stated it was due to SHA-1 then rambled on about the Google sunset.

After triple checking everything I couldnt find any issue so I asked them to manually check my SSL at ssllabs.com and they then logged it as a false positive and passed my scan.

Worth a thought before you drive yourself mad running scans and not being able to resolve it!