Payment Card Industry Data Security Standard (PCI DSS), getting with the program.

These are notes for achieving conformance with PCI DSS. PCI DSS is a bit of private-market bureacracy that basically amounts to an agreement to use secure practices, and to implement a system with security enabled, and unsecure services and features disabled. The website was heavy on bureacracy and the technical info was hard to find. First, you need to get the PCI DSS standard, v.2.0. It’s a PDF download.

Next, get nmap on your server and your desktop. You have to scan the server over and over. With nmap, do this:

nmap -A -T4 myserver.com

You’ll get output like this:

Nmap scan report for myserver.com (0.0.0.0)
Host is up (0.072s latency).
rDNS record for 0.0.0.0 myserver.com
Not shown: 927 filtered ports, 64 closed ports
PORT     STATE SERVICE  VERSION
80/tcp   open  http     Apache httpd 2.2.17 ((FreeBSD) mod_ssl/2.2.17 OpenSSL/1.0.0d PHP/5.3.6 with Suhosin-Patch)
|_html-title: 403 Forbidden
110/tcp  open  pop3     Courier pop3d
|_pop3-capabilities: USER STLS IMPLEMENTATION(Courier Mail Server) UIDL PIPELINING LOGIN-DELAY(10) TOP OK(K Here s what I can do)
143/tcp  open  imap     Courier Imapd (released 2011)
|_imap-capabilities: THREAD=ORDEREDSUBJECT QUOTA STARTTLS THREAD=REFERENCES UIDPLUS ACL2=UNION SORT ACL IMAP4rev1 IDLE NAMESPACE CHILDREN
443/tcp  open  ssl/http Apache httpd 2.2.17 ((FreeBSD) mod_ssl/2.2.17 OpenSSL/1.0.0d PHP/5.3.6 with Suhosin-Patch)
|_sslv2: server still supports SSLv2
|_html-title: Site doesn't have a title (text/html; charset=iso-8859-1).
465/tcp  open  ssl/smtp qmail smtpd
|_sslv2: server still supports SSLv2
| smtp-commands: EHLO c.slaptech.net, AUTH LOGIN CRAM-MD5 PLAIN, AUTH=LOGIN CRAM-MD5 PLAIN, STARTTLS, PIPELINING, 8BITMIME
|_HELP qmail home page: http://pobox.com/~djb/qmail.html
993/tcp  open  ssl/imap Courier Imapd (released 2011)
|_imap-capabilities: THREAD=ORDEREDSUBJECT QUOTA AUTH=PLAIN THREAD=REFERENCES UIDPLUS ACL2=UNION SORT ACL IMAP4rev1 IDLE NAMESPACE CHILDREN
995/tcp  open  ssl/pop3 Courier pop3d
|_pop3-capabilities: USER IMPLEMENTATION(Courier Mail Server) UIDL PIPELINING OK(K Here s what I can do) TOP LOGIN-DELAY(10)
8000/tcp open  http     Icecast streaming media server
|_html-title: Icecast Streaming Media Server
Service Info: OSs: Unix, FreeBSD

My first goal is to get rid of the SSLv2 warning. Some websites said this was a PCI violation. To do this, first read
the mod_ssl docs. Then, you need to alter the configuration file a bit. My file was /usr/local/etc/apache22/extras/httpd-ssl.conf. I added this line to the global config:

SSLProtocol ALL -SSLv2

That enables all but the SSLv2 protocol, which is the oldest protocol and is considered insecure. The newer ones are SSLv3 and TLSv1.

Also, alter the ciphers. Look for the line SSLCipherSuite line and change to:

SSLCipherSuite TLSv1:IDEA:SHA1:HIGH:-LOW:-MEDIUM

I’m not sure I have that right, but it’s mostly about enabling TLSv1, and disabling the LOW and MEDIUM grade ciphers. “TLSv1” above is an alias for a number of different ciphers. See the SSLCipherSuite section in the mod_ssl docs for more information — it’s too complex to describe here. But, in short, negotiating an SSL connection involves several phases, and in each phase, you can use different ciphers. Some are considered stronger than others. Exchanging data with these ciphers requires that both the client and the server have the required programs to handle the ciphers. That’s why there are choices — the programs will try to work with what they’ve got, and also try to use the most secure ciphers.

Your job is to disable the less secure protocol, SSLv2, and not include the less secure ciphers. Read the mod_ssl docs for more details and info on how to list available ciphers.

Next, you have to establish a new virtual server for the web store. This requires creating a new Apache conf file, using this default file as a template.

The main thing about making an SSL site is getting those certificates, putting them in a safe place, setting the permissions, and getting the server to come up. Just for starters, get a certificate from CAcert.org or make a self-signed certificate. You can “upgrade” to a commercial certificate after you’ve configured the server correctly.

But, before you can do that, you need to allocate an IP address for the website. This is a limitation of Apache and OpenSSL, at this time. Until recently, there was no way to run name-based virtual hosts with SSL; the problem was that SSL was negotiated before the hostname was sent to the server, so you could only have one certificate per IP address.

Today, there’s a feature called server name identification (SNI) that allows it. Read about gnutls and SNI and Apache with SNI. Also read Wikipedia on SNI – it indicates that any verision of IE on Windows XP does not support SNI. Therefore we can’t use SNI on the server. We must use IP addresses for vhosting.

Lock down the default virtual host.

(I’m not sure if it complies with the export laws as stated in the agreement, but it probably does.)