Re: [WEB SECURITY] SSL Server Options - Ciphers

[Paul Johnston <paj@xxxxxxxxxxxxxx>]

Hi,

> Now, in my internal testing with openssl s_client -ssl2 -connect host:443
>  and with IE and Firefox by forcing them to [X] Use SSLv2 only,   the
> testing seem to work.  No successful SSL negotiation and connection was
> made.

What I have seen with some devices (Cisco SCA) is that if the
protocol/cipher is disabled, an SSL connection is still made, but the
device then only returns a page that explains the cipher is disabled.
The PCI scan company at first reported this as failing - their tool
was just seeing the established connection, and not recognizing that
it's just an error page. When I challenged this, they agreed that this
arrangement is compliant with the spirit of PCI - a CC number will
never go over the weak cipher. They updated their tool and noted us as
compliant.

Now, I'm not sure this is the same issue you've seen - you indicate no
SSL connection was made at all. But it's quite a similar issue, so may
be relevant.

Best wishes,

Paul

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA