We're trying to get our VPN appliance PCI compliant and not sure what is going on, as it's automatically failing.
Minimum TLS is 1.2 and have disabled all the weak key exchanges. This was done prior to any PCI compliance requirement.
When we run the SSL test on ssllabs.com, we're getting an A-.
The PCI report contains the below:
THREAT: QID Detection Logic: For a SSL enabled port, the scanner probes and maintains a list of supported SSL/TLS versions. For each supported version, the scanner does a SSL handshake to get a list of KEX methods supported by the server. It reports all KEX methods that are considered weak. The criteria of a weak KEX method is as follows: The SSL/TLS server supports key exchanges that are cryptographically weaker than recommended. Key exchanges should provide at least 112 bits of security, which translates to a minimum key size of 2048 bits for Diffie Hellman and RSA key exchanges.
IMPACT: An attacker with access to sufficient computational power might be able to recover the session key and decrypt session content.
SOLUTION: Change the SSL/TLS server configuration to only allow strong key exchanges. Key exchanges should provide at least 112 bits of security, which translates to a minimum key size of 2048 bits for Diffie Hellman and RSA key exchanges.
RESULT: PROTOCOL NAME GROUP KEY-SIZE FORWARD-SECRET CLASSICAL-STRENGTH QUANTUMSTRENGTH TLSv1.2 ECDHE secp192r1 192 yes 96 low TLSv1.2 ECDHE secp192k1 192 yes 96 low TLSv1.2 ECDHE secp160r2 160 yes 80 low TLSv1.2 ECDHE secp160r1 160 yes 80 low TLSv1.2 ECDHE secp160k1 160 yes 80 low TLSv1.2 ECDHE sect193r2 193 yes 96 low TLSv1.2 ECDHE sect193r1 193 yes 96 low TLSv1.2 ECDHE sect163r2 163 yes 81 low TLSv1.2 ECDHE sect163r1 163 yes 81 low TLSv1.2 ECDHE sect163k1 163 yes 81 low
The appliance is running 9.1.8.
Any ideas on how to resolve it?
... View more