SSL cipher picker for AMS config / PCI coimpliance

SSL cipher picker for AMS config / PCI coimpliance

Postby EKjellquist » Tue Dec 17, 2019 3:07 pm

Folks,

Having a greater need to go through PCI compliance lately, and have plugged basically every hole save for AMS; I realize updating to TLS 1.3 / OpenSSL 1.1.1 / 3.0 is a big (but necessary) update, but I'm wondering if there's a simpler option update that may help us in the meantime;

I'm really only getting dinged for old encryption ciphers being available in AMS (even though they may be further down the list than the more robust ones offered, which is typical), and for what we're doing I would probably be ok in the interim if I could disable the oldest ciphers within AMS to remove them from being offered by the server.

So going along with what would likely end up being AMS 5.0, can we maybe get an update to 4.2.x that has an option tab where we can pick from available ciphers and enable / disable them, and/or do so via a settings .ini file? That would provide a lot more flexibility in case some admins need a much tighter or looser environment depending on what they're doing.

I also run Jive Networks' Openfire server for XMPP / messaging, and they have a chooser where one window has all the Enabled ciphers, and the other window has all the ones the server can support but aren't enabled (you just move them back and forth). This way, with each future backend update of AMS that includes an OpenSSL update, we can adjust which ciphers are available over time as standards tighten and new ones become available.
Attachments
openfire_example.jpg
Cipher chooser example
openfire_example.jpg (191.97 KiB) Viewed 9245 times
EKjellquist
 
Posts: 96
Joined: Tue Sep 09, 2014 10:40 pm

Re: SSL cipher picker for AMS config / PCI coimpliance

Postby Code Crafters » Mon Dec 23, 2019 10:28 am

In AMS you pick the TLS version you want to listen / connect on. In using TLS 1.2, this shouldn't allow communication with older ciphers anyway. Moving to a newer version of OpenSSL should remove older ciphers automatically too.
Code Crafters
 
Posts: 943
Joined: Mon Sep 10, 2007 2:35 pm

Re: SSL cipher picker for AMS config / PCI coimpliance

Postby EKjellquist » Thu Jan 02, 2020 7:59 pm

Code Crafters wrote:In AMS you pick the TLS version you want to listen / connect on. In using TLS 1.2, this shouldn't allow communication with older ciphers anyway. Moving to a newer version of OpenSSL should remove older ciphers automatically too.


Well, for the REALLY old ones that's certainly true, though there are a number of 1.2 ciphers that are currently seen as weak by the stricter scans out there, and the openSSL version of AMS 4.2.x of 1.0.2 is basically unsupported as of 1/1/2020 with any further updates; moreover I believe part of the issue is that the compliance scanners are showing that those weak ciphers are capable on the AMS web server's version of OpenSSL, even if they're not actually accepted for transactions; these scans come up negative for my Apache 2.4.x web server for example, but because I can specifically disable which ciphers I want the server to positively identify that it DOESN'T support...
EKjellquist
 
Posts: 96
Joined: Tue Sep 09, 2014 10:40 pm

Re: SSL cipher picker for AMS config / PCI coimpliance

Postby Code Crafters » Fri Jan 03, 2020 1:17 am

We've just released Ability Mail Server 4.2.9 which defaults to using TLS 1.2 now. We will be aiming to do a major OpenSSL update this year but this is a major code shift and requires a lot of new code and testing so isn't a small update to do.
Code Crafters
 
Posts: 943
Joined: Mon Sep 10, 2007 2:35 pm


Return to Suggestions

Who is online

Users browsing this forum: No registered users and 3 guests

cron