PCI & SSL/Early TLS QIDs 38601, 42366

Igor Obolenskiy

Last updated on: December 20, 2022

Two QIDs will be marked as PCI Fail on May 1, 2019 as required by ASV Program Guide:

  • QID 38601 “SSL/TLS Use of Weak RC4 Cipher”
  • QID 42366 “SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Server Side Vulnerability (BEAST)”
  • Last revision of ASV Program Guide (ver. 3.1) has the following for SSL/TLS component:

“A component must be considered non-compliant and marked as an automatic failure by the ASV:
– If it supports SSL or early versions of TLS, OR
– If strong cryptography is supported in conjunction with SSL or early versions of TLS (due to the risk of ‘forced – downgrade’ attacks).”

ASV scan customers needed to migrate away from SSL/early TLS by June 30, 2018 as was announced previously in the Qualys blog post of April 18, 2017.

Compensating controls could be used in the case where SSL/early TLS is still being used. If the system is found not to be susceptible to particular vulnerabilities, a false positive/exception could be submitted and approved by the ASV, resulting a “PCI Pass” for the affected scan component or target host.

ASV Program Guide and PCI DSS are available in the PCI Council Document Library.

Show Comments (1)

Comments

Your email address will not be published. Required fields are marked *

  1. Will this have any consequences for a server being assessed using ssl labs ssltest ?
    (well I think it should have some … Here is how I would handle it starting from May 1st.) :

    – For any kind of an “A” rating, things must at least comply to the latest PCI DSS recommendations, which minimally means having any version of old TLS disabled, and where no CBC Suites are in use, ciphers correctly prioritized, and no other warnings being triggered in the overall result ! – Robust TLS – )
    – only additional modern TLS features are eligible for receiving “A+” ratings (if the “A” criteria is fulfilled at least, otherwise any feature which is available WILL NOT LIFT the base result)

    – TLS 1.0 and TLS 1.1 used (but having protocol downgrade defenses deployed and/or HSTS deployed properly and ciphersuites are correctly prioritized AND no CBC suites are in use AND where TLS1.2 is also supported with modern browsers) : B

    – same as above but TLS1.2 is not supported at all : C
    – same as above , TLS 1.2 also supported but having CBC suites in use : C
    – same as above but TLS1.2 not supported AND having CBC Suites in use : D
    – same as above but TLS 1.1 and TLS 1.2 not supported (only TLS 1.0 alone) : E
    – same as above but with no protocol downgrade defenses in place, improper or no prioritization of ciphers : F
    – everything else that makes it even worse: F (also: as soon as there is still SSL3 or SSL2 enabled somewhere, equals if in whichever otherwise “proper” or “less improper” configuration : F )

    – supporting RC4 in any thinkable kind of configuration which ever might be possible : F
    – supporting 3DES should at least result in an additional “-1” degrading penalty.. B->C , C->D, D->E , E->F

    Kind regards!

    Bernd