SSL cipher picker for AMS config / PCI coimpliance

[EKjellquist]

Folks,

Having a greater need to go through PCI compliance lately, and have plugged basically every hole save for AMS; I realize updating to TLS 1.3 / OpenSSL 1.1.1 / 3.0 is a big (but necessary) update, but I'm wondering if there's a simpler option update that may help us in the meantime;

I'm really only getting dinged for old encryption ciphers being available in AMS (even though they may be further down the list than the more robust ones offered, which is typical), and for what we're doing I would probably be ok in the interim if I could disable the oldest ciphers within AMS to remove them from being offered by the server.

So going along with what would likely end up being AMS 5.0, can we maybe get an update to 4.2.x that has an option tab where we can pick from available ciphers and enable / disable them, and/or do so via a settings .ini file? That would provide a lot more flexibility in case some admins need a much tighter or looser environment depending on what they're doing.

I also run Jive Networks' Openfire server for XMPP / messaging, and they have a chooser where one window has all the Enabled ciphers, and the other window has all the ones the server can support but aren't enabled (you just move them back and forth). This way, with each future backend update of AMS that includes an OpenSSL update, we can adjust which ciphers are available over time as standards tighten and new ones become available.

[Code Crafters]

In AMS you pick the TLS version you want to listen / connect on. In using TLS 1.2, this shouldn't allow communication with older ciphers anyway. Moving to a newer version of OpenSSL should remove older ciphers automatically too.

[EKjellquist]

In AMS you pick the TLS version you want to listen / connect on. In using TLS 1.2, this shouldn't allow communication with older ciphers anyway. Moving to a newer version of OpenSSL should remove older ciphers automatically too.

Well, for the REALLY old ones that's certainly true, though there are a number of 1.2 ciphers that are currently seen as weak by the stricter scans out there, and the openSSL version of AMS 4.2.x of 1.0.2 is basically unsupported as of 1/1/2020 with any further updates; moreover I believe part of the issue is that the compliance scanners are showing that those weak ciphers are capable on the AMS web server's version of OpenSSL, even if they're not actually accepted for transactions; these scans come up negative for my Apache 2.4.x web server for example, but because I can specifically disable which ciphers I want the server to positively identify that it DOESN'T support...

[Code Crafters]

We've just released Ability Mail Server 4.2.9 which defaults to using TLS 1.2 now. We will be aiming to do a major OpenSSL update this year but this is a major code shift and requires a lot of new code and testing so isn't a small update to do.