SSL/TLS Recommended Cipher Suites (PCI DSS)

medium Nessus Plugin ID 159543

Synopsis

The remote host advertises discouraged SSL/TLS ciphers.

Description

The remote host has open SSL/TLS ports which advertise discouraged cipher suites. It is recommended to only enable support for the following cipher suites:

TLSv1.3:
- 0x13,0x01 TLS13_AES_128_GCM_SHA256
- 0x13,0x02 TLS13_AES_256_GCM_SHA384
- 0x13,0x03 TLS13_CHACHA20_POLY1305_SHA256

TLSv1.2:
- 0xC0,0x2B ECDHE-ECDSA-AES128-GCM-SHA256
- 0xC0,0x2F ECDHE-RSA-AES128-GCM-SHA256
- 0xC0,0x2C ECDHE-ECDSA-AES256-GCM-SHA384
- 0xC0,0x30 ECDHE-RSA-AES256-GCM-SHA384
- 0xCC,0xA9 ECDHE-ECDSA-CHACHA20-POLY1305
- 0xCC,0xA8 ECDHE-RSA-CHACHA20-POLY1305
- 0xCC,0xAA DHE_RSA_WITH_CHACHA20_POLY1305_SHA256

This is the recommended configuration for the vast majority of services, as it is highly secure and compatible with nearly every client released in the last five (or more) years.

Solution

Only enable support for recommended cipher suites.

See Also

https://wiki.mozilla.org/Security/Server_Side_TLS

https://ssl-config.mozilla.org/

https://ciphersuite.info/page/faq/

https://ciphersuite.info/cs/TLS_DHE_RSA_WITH_AES_128_GCM_SHA256/

https://ciphersuite.info/cs/TLS_DHE_RSA_WITH_AES_256_GCM_SHA384/

Plugin Details

Severity: Medium

ID: 159543

File Name: pci_ssl_recommended_ciphers.nasl

Version: 1.6

Type: remote

Family: General

Published: 4/6/2022

Updated: 2/21/2024

Supported Sensors: Nessus

Risk Information

CVSS Score Rationale: Score from an in depth analysis done by tenable

CVSS v2

Risk Factor: Medium

Base Score: 4

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N

CVSS Score Source: manual

CVSS v3

Risk Factor: Medium

Base Score: 4.8

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Vulnerability Information

Required KB Items: Settings/PCI_DSS

Excluded KB Items: Settings/PCI_DSS_local_checks