Security Metrics PCI Compliance Fix: SSL 64-bit Block Size Cipher Suites Supported (SWEET32)

Security Metrics recently tweaked their scan settings in 2017.  Recently this came up as a problem.

Problem: SSL 64-bit Block Size Cipher Suites Supported (SWEET32)
The remote service supports the use of 64-bit block ciphers.

Background:

  • https://bobcares.com/blog/how-to-fix-sweet32-birthday-attacks-vulnerability-cve-2016-2183/
  • https://testssl.sh/openssl-rfc.mappping.html

First off, run the following command on your server
nmap --script ssl-enum-ciphers -p 443 SERVER_IP

It will return a list of ciphers, look to see if you have this in the list

|       TLS_RSA_WITH_3DES_EDE_CBC_SHA – strong

If you are running Apache, open your vhost file where you have your SSLCipherSuite defined.  Remove the line

DES-CBC3-SHA

And restart your apahce server
Run the command
nmap --script ssl-enum-ciphers -p 443 SERVER_IP

And ensure you don’t see this line
TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong

Rerun your security metrics scan and you should be okay.