Enabled all pci compliance options, still failing CVE-2011-3389: SSL/TLS Protocol x 3

[andyb-uk]

Hi.

I have latest Plesk 9.5.x updates

I have enabled the pci-compliance options

/usr/local/psa/admin/bin/pci_compliance_resolver --enable all

and followed the Plesk guide

Securing Servers in Compliance with PCI Data Security Standard - http://download1.parallels.com/Plesk...mpliance-guide

It passes everything now except 3 failures - they are all related to SSL/TLS...

SSL/TLS Protocol Initialization Vector
Implementation Information Disclosure
Vulnerability imap (143/tcp)
CVE-2011-3389

SSL/TLS Protocol Initialization Vector
Implementation Information Disclosure
Vulnerability pop3 (110/tcp)
CVE-2011-3389

SSL/TLS Protocol Initialization Vector
Implementation Information Disclosure
Vulnerability https (443/tcp)
CVE-2011-3389

It seems related to SSL, I have disabled weak ciphers as outlined in the guide.

How can I get this to pass ?

Any help is welcomed

 

[[QT]Bender]

I agree, the same issue here with new PCI compliance scan. We need solution.

 

[andyb-uk]

Has anyone got any ideas how to get it to pass?

Is Plesk 9.5.4 just simply not able to pass now?

 

[HostaHost]

Edit /etc/courier-imap/*-ssl and look for the TLS_CIPHER_LIST line; replace it with this:

TLS_CIPHER_LIST="ALL:!ADH:RC4+RSA:-SSLv2:+HIGH:+MEDIUM:-LOW:-EXP:@STRENGTH"

Then restart courier.

 

[andyb-uk]

ok - that didn't work.

I assume it is because I had used the Plesk tool to PCI comply the server

i.e

/usr/local/psa/admin/bin/pci_compliance_resolver --enable courier

- this creates

/etc/courier-imap/imapd-ssl.pci
/etc/courier-imap/pop3d-ssl.pci

Which contains

TLS_CIPHER_LIST="HIGH:MEDIUM:!SSLv2:!LOW:!EXP:!aNULLSTRENGTH"

Is this conflicting ?

 

[HostaHost]

Try replacing that one with the string I sent and restart courier. It took me a while to find the right combination of arguments that make the pci scanning companies happy.