Security Metrics PCI Compliance Fix: SSL 64-bit Block Size Cipher Suites Supported (SWEET32)

Security Metrics recently tweaked their scan settings in 2017.  Recently this came up as a problem.

Problem: SSL 64-bit Block Size Cipher Suites Supported (SWEET32)
The remote service supports the use of 64-bit block ciphers.



First off, run the following command on your server
nmap --script ssl-enum-ciphers -p 443 SERVER_IP

It will return a list of ciphers, look to see if you have this in the list

|       TLS_RSA_WITH_3DES_EDE_CBC_SHA – strong

If you are running Apache, open your vhost file where you have your SSLCipherSuite defined.  Remove the line


And restart your apahce server
Run the command
nmap --script ssl-enum-ciphers -p 443 SERVER_IP

And ensure you don’t see this line

Rerun your security metrics scan and you should be okay.

Security Metrics PCI Compliance Changes and Fixes

Back in 2015, I did a Security Metrics scan on my site for PCI compliance, and noticed I had 3 new failures when they rescanned my site in early 2016.  What I suspect is that these tests were added:

Problem 1: TLS Version 1.0 Protocol Detection (PCI DSS)


Security Metrics is basically saying that having TLS Version 1.0 is a security vulnerability.

The remote service encrypts traffic using a protocol with known weaknesses.  The remote service accepts connections encrypted using TLS 1.0.

If you are running apache, you might have a configuration parameter like this.
SSLProtocol all -SSLv2 -SSLv3

If you take a look at the docs here

It says that ‘all’ is a shortcut for “+SSLv2 +SSLv3 +TLSv1” or – when using OpenSSL 1.0.1 and later – “+SSLv2 +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2”, respectively.

Change your apache config to
SSLProtocol all -SSLv2 -SSLv3 -TLSv1

Restart your server and run
sudo service apache2 reload

Verify TLS 1.0 says ‘no’ and you are good to go

Problem 2: SSH Diffie-Hellman Modulus <= 1024 Bits (Logjam)Rest


Security Metrics is saying here that your server connection is accepting SSH connections with a diffie-hellman group 1 of 1024 bits.

The remote host allows SSH connections with one or more Diffie-Hellman moduli less than or equal to 1024 bits. The remote SSH server allows connections with one or more Diffie-Hellman moduli less than or equal to 1024 bits

First run this command on your server to verify the problem

nmap –Pn [domain/ip] –p [port] –script ssh2-enum-algos

|   kex_algorithms (8)
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       diffie-hellman-group-exchange-sha256
|       diffie-hellman-group-exchange-sha1
|       diffie-hellman-group14-sha1
|       diffie-hellman-group1-sha1

Note here that the server is returning

  • diffie-hellman-group-exchange-sha1
  • diffie-hellman-group1-sha1

You can read these two links for more info

To fix it go into



and run sudo restart ssh

Outside the box rerun the command and note that the kex algorithms are returning a smaller set.


nmap –Pn [domain/ip] –p [port] --script ssh2-enum-algos
| kex_algorithms (2)
| diffie-hellman-group-exchange-sha256

Problem 3: Web Application Potentially Vulnerable to Clickjacking

The remote web server may fail to mitigate a class of web application vulnerabilities.

The remote web server does not set an X-Frame-Options response header in all content responses

The fix for this is pretty easy as specified by

In apache put in apache2.conf


restart your server, and verify by going to

Ensure X-Frame-Options gets returned

Rescan your site and you should be good to go for security metrics pci compliance!