AnsweredAssumed Answered

PCI scan does not warn against non NIST SP 800-52r1 ciphers

Question asked by Valérie Martin on Jun 24, 2017

Hello,

based on https://www.pcisecuritystandards.org/documents/Migrating_from_SSL_Early_TLS_Information%20Supplement_v1.pdf which states "Note that not all implementations of TLS v1.1 are considered secure – refer to NIST SP 800 - 52 rev 1 for guidance on secure TLS configurations." and in this NIST Special Publication http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf in section 3.3.1 Cipher Suites is clearly stated:

The server shall be configured to only use cipher suites that are composed entirely of Approved algorithms. A complete list of acceptable cipher suites for general use is provided in this section, grouped by certificate type and TLS protocol version.

Only 3DES and AES ciphers are listed, but a PCI scan performed with QualysGuard does not even notice ciphers like SEED or CAMELLIA shouldn't it report them as non compliant?

 

The same goes for point 3.4.1.2 Certificate Status Request that states that OCSP stapling shall be enabled.

 

Cheers

Valérie

Outcomes