# OpenSSL and PCI compliance



## mdudley (Jul 18, 2018)

My PCI scan is failing due to a vulnerability in OpenSSL 1.0.2o.  They are saying that I should update to 1.0.2.p, which does not exist.  I do find though that there is a 1.0.2p-dev.  It was my understanding that the system should not be using developmental software for PCI compliance.  On top of that, the -dev version does not seem to be available in the ports tree.

How are others handling this?

Thanks,

Marshall


----------



## obsigna (Jul 18, 2018)

On upstream, the latest OpenSSL release of the 1.0.2 series is 1.0.2o. There is no 1.0.2p yet, see https://www.openssl.org/source/. The OpenSSL-Devel in the ports is actually the release version of the 1.1.0 series 1.1.0h. I would say the ports version sails under the false flag "Devel", since it is actually a normal release version. Perhaps, OpenSSL 1.1.0h would be accepted by the PCI scan. After installing security/openssl-devel from the ports, you would need to reinstall your web-server software.


----------



## obsigna (Jul 18, 2018)

For PCI compliance you would need also to deactivate SSL/early TLS protocols. In my Apache config I got the following:

```
...
SSLProtocol              All -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite           HIGH:!aNULL:!AES128:!SSLv2:!SSLv3:!TLSv1
...
```


----------



## mdudley (Jul 18, 2018)

obsigna said:


> On upstream, the latest OpenSSL release of the 1.0.2 series is 1.0.2o. There is no 1.0.2p yet, see https://www.openssl.org/source/. The OpenSSL-Devel in the ports is actually the release version of the 1.1.0 series 1.1.0h. I would say the ports version sails under the false flag "Devel", since it is actually a normal release version. Perhaps, OpenSSL 1.1.0h would be accepted by the PCI scan. After installing security/openssl-devel from the ports, you would need to reinstall your web-server software.



No, it will not. 



> CVE-2018-0737 (OpenSSL advisory) [Low severity] 16 April 2018:
> 
> The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Reported by Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
> 
> ...




1.1.0h is also affected according to this notice on OpenSSL website.

Marshall


----------



## mdudley (Jul 18, 2018)

obsigna said:


> For PCI compliance you would need also to deactivate SSL/early TLS protocols. In my Apache config I got the following:
> 
> ```
> ...
> ...



I did this years ago.

Marshall


----------



## obsigna (Jul 19, 2018)

Well then, for the time being, as user root:

Just in case:
`pkg delete openssl-devel`
`pkg install openssl`

`mkdir -p ~/install; cd ~/install`
`svn co https://github.com/openssl/openssl.git/branches/OpenSSL_1_0_2-stable openssl-1.0.2-stable`
`cd openssl-1.0.2-stable`
`./Configure BSD-x86_64 shared --prefix=/usr/local --openssldir=/usr/local/openssl`
`make depend`
`make install clean`

`/usr/local/bin/openssl version` → OpenSSL 1.0.2p-dev  xx XXX xxxx

Rebuild Apache, telling it to use OpenSSL from the ports.

`/usr/local/bin/openssl ciphers -v 'HIGH:\!aNULL:\!RSA:\!SSLv2:\!SSLv3:\!TLSv1'` →

```
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
DH-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AESGCM(256) Mac=AEAD
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256) Mac=AEAD
DH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256
DH-RSA-AES256-SHA256    TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AES(256)  Mac=SHA256
DH-DSS-AES256-SHA256    TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AES(256)  Mac=SHA256
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-RSA-AES256-SHA384  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA384
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
DH-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AESGCM(128) Mac=AEAD
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(128) Mac=AEAD
DH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-DSS-AES128-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA256
DH-RSA-AES128-SHA256    TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AES(128)  Mac=SHA256
DH-DSS-AES128-SHA256    TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AES(128)  Mac=SHA256
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-RSA-AES128-SHA256  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA256
ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA256
```

PS:

Excerpt of phpinfo():


----------



## mdudley (Jul 19, 2018)

Since this vulnerability requires high level access to the server, such as on a cloud or virtual machine environment, it is not applicable to a dedicated server with limited access.  So a waiver was granted.


----------



## Chris_H (Jul 19, 2018)

FWIW, as memory serves, and last time I checked. The version in $BASE of OSSL, carries internal patches that I think overcome some, or perhaps all the shortcomings the otherwise stock version(s) suffer from.

--Chris


----------

