AnsweredAssumed Answered

PCI RC4 and BEAST Contradictions

Question asked by Paul Carthy on May 6, 2015
Latest reply on May 6, 2015 by Paul Carthy



We've recently started PCI compliance testing.


We have our scans done via Sysnet through Barclays.


Over the weekend we failed a scan for having RC4 ciphers enabled (CVE 2013-2566, CVE 2015-2808) with a base score of 4.2. The resolution for this problem was to disable RC4 ciphers, !RC4 to the cipher suites.


Upon retest after making the changes we passed these tests, but now fail BEAST (CVE 2011-3389) with a base score of 4.2. The resolution is to enable RC4 ciphers? i.e. SSLCipherSuite RC4+RSA:!EXPORT:!LOW.


The problem I now have is I end up in a loop of failing one or the other if I follow the advise. We really need to support XP/IE8 customers as a large proportion of our client base is NHS/Councils, who still run these solutions.


I spoke to Barclays technical team whose suggestion was to raise a false positive. Which I disagreed with as using the Qualsys tools I could see they were genuine failures. They didn't really understand the problem. I think this is a new problem due to the Bar Mitzvah attack raising the base score of RC4 from 2.9 to 4.2?


Is their any configuration I can use to pass these tests and still support XP/IE8? XP/IE8 will support 3DES, this is the default cipher I use when disabling RC4, but then I fail BEAST.


Any advise greatly appreciated,