Koozali.org formerly Contribs.org

Setting SME up for PCI-DSS compliance

Setting SME up for PCI-DSS compliance
« on: August 05, 2019, 09:54:01 AM »
I have a client running SME 9.2 that is using hand-held credit/debit card readers. They have to meet PCI-DSS requirements or face extra charges on every transaction.

In order to meet the requirements, TLSv1.0 had to be disabled on all open ports. There are also some requirements to disable some encryptions suites that are considered insecure (looking at the requirements, they seem like overkill to me, but...).

After a bit of hunting, I found some discussion on this subject from some time ago:

https://forums.contribs.org/index.php?topic=52120.0

https://bugs.contribs.org/show_bug.cgi?id=9154

In the listed bug, there is a suggestion that all SSL/TLS settings be moved to modSSL and allow control of all ports, rather than just http ports. I've not found any indications that this was done, and I'm wondering what I can do to disable TLSv1.0 on all open ports in this server. I'm also wondering if there is any option to disable individual cypher suites in TLSv1.1 and 1.2?

Is anyone else running SME server in an environment that requires PCI-DSS compliance?

Paul.

Offline ReetP

  • *
  • 2,809
Re: Setting SME up for PCI-DSS compliance
« Reply #1 on: August 06, 2019, 01:42:01 PM »
I have a client running SME 9.2 that is using hand-held credit/debit card readers. They have to meet PCI-DSS requirements or face extra charges on every transaction.

Yuck.

Quote
In order to meet the requirements, TLSv1.0 had to be disabled on all open ports. There are also some requirements to disable some encryptions suites that are considered insecure (looking at the requirements, they seem like overkill to me, but...).

It most likely is overkill, but they are the piper and you have no choice but to follow them over the edge of the cliff....

Quote
In the listed bug, there is a suggestion that all SSL/TLS settings be moved to modSSL and allow control of all ports, rather than just http ports.

It wasn't as far as I am aware, because it isn't that easy.

Quote
I've not found any indications that this was done, and I'm wondering what I can do to disable TLSv1.0 on all open ports in this server. I'm also wondering if there is any option to disable individual cypher suites in TLSv1.1 and 1.2?

Yes, and no... :-)

To test stuff add sslscan

Code: [Select]
yum --enablerepo=epel install sslscan
Before you start read read https://forums.contribs.org/index.php/topic,52120.msg266805.html#msg266805 because this truly is a rabbit hole.

From https://bugs.contribs.org/show_bug.cgi?id=9154#c11

Code: [Select]
config setprop httpd-e-smith TLSv1 disabled
signal-event post-upgrade && signal-event reboot

Then run
Code: [Select]
sslscan -html your.server:443
Quote
  Preferred Server Cipher(s):
    SSLv2  0 bits    (NONE)
    SSLv3  0 bits    (NONE)
    TLSv1  0 bits    (NONE)
    TLS11  256 bits  ECDHE-RSA-AES256-SHA
    TLS12  256 bits  ECDHE-RSA-AES256-GCM-SHA384

Quote
Is anyone else running SME server in an environment that requires PCI-DSS compliance?

No idea - the requirements are stringent and you might need a server specially crafted to handle it in all honesty.

You can disable POP services, and enable some cipher stuff on qmail and qspmtpd. However, having looked, there are various settings but the info is splattered all over the place :-(

Talking with Terry and seeing if we can't try and get all this stuff in one place

Some other links.

qmail SSL/TLS - package in updates testing but no on/off switch yet.
https://bugs.contribs.org/show_bug.cgi?id=9349

https://wiki.contribs.org/Qpsmtpd:tls

https://wiki.contribs.org/DB_Variables_Configuration

Look for qpsmtpd ciphers
db configuration setprop qpsmtpd tlsCipher XXX

Bear with us and we'll see if we can't tidy some of this up a bit. Know any decent test sites?
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 2,809
Re: Setting SME up for PCI-DSS compliance
« Reply #2 on: August 06, 2019, 01:47:14 PM »
Just tested my home one with this site and I passed basic PCI-DSS !

https://www.immuniweb.com/websec/

Probably a load of sites about so have a look
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 2,809
Re: Setting SME up for PCI-DSS compliance
« Reply #3 on: August 06, 2019, 01:57:44 PM »
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 2,809
Re: Setting SME up for PCI-DSS compliance
« Reply #4 on: August 07, 2019, 01:46:48 PM »
FYI I have set up a doc for me and Terry to make some notes and try and collate all the SSL/TLS settings in one place.

It might take a little while to do but we are on the case.

If you would like to chat about it and help out then let me know and I can add you as a user on our RocketChat instance that we use to batter a few ideas about.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Re: Setting SME up for PCI-DSS compliance
« Reply #5 on: August 11, 2019, 01:57:59 AM »
Sorry for the slow response - bad week...

Yuck.

:) I agree. What is worse is that there seem to be wildly differing standards used. Three of the systems I maintain make use of card readers that connect over the internet and should therefore all need to meet PCI-DSS requirements. Only one of those systems is currently facing this problem, even though it almost certainly has the lowest levels of use.

Quote
It most likely is overkill, but they are the piper and you have no choice but to follow them over the edge of the cliff....

It seems to me that someone has found a wonderful means of making money. Security Metrics are the company doing compliance testing in this instance, and their standards don't seem to take account of other protections that limit the ability of an attacker to get the sort of access to a system that would be required to break even the weakest of the cipher suites.

But, as you say, no choice but to follow....

Quote
It wasn't as far as I am aware, because it isn't that easy.

That explains it - I didn't find any further follow-up to that bug report and my testing shows that the restriction on use of TLSv1.0 is only on HTTPS rather than on any of the other services. Which is a problem, since the Security Metrics scan has found weaknesses in all open ports on the system.

Quote
Yes, and no... :-)

To test stuff add sslscan

Code: [Select]
yum --enablerepo=epel install sslscan

I've been using sslscan for a while. I've also found testssl.sh (https://testssl.sh/) useful in checking what protocols and ciphers are in use on systems.

Quote
Before you start read read https://forums.contribs.org/index.php/topic,52120.msg266805.html#msg266805 because this truly is a rabbit hole.

A good description. I had found that one in my searching for answers. Not eager to start editing templates, though I guess I may have to do just that.

Quote
From https://bugs.contribs.org/show_bug.cgi?id=9154#c11

Code: [Select]
config setprop httpd-e-smith TLSv1 disabled
signal-event post-upgrade && signal-event reboot

Then run
Code: [Select]
sslscan -html your.server:443

Done that on a couple of the systems. It effectively drops TLSv1.0, but still leaves a number of cipher suites that are considered weak available. Not to mention that it only covers HTTPS. If I had to, I could close the HTTPS ports (though I'd rather not, since several of the users do make use of webmail and seem resistant to changing to a real email client). Only one of the systems I look after has a local website - the rest all use remotely hosted web sites.

Quote
No idea - the requirements are stringent and you might need a server specially crafted to handle it in all honesty.

I've found a couple of systems that are supposed to meet the requirements. I keep hoping that either SME or Nethserver can cover it - I know almost nothing about the commercial options, other than the fact that they seem to be hideously expensive.

Quote
You can disable POP services, and enable some cipher stuff on qmail and qspmtpd. However, having looked, there are various settings but the info is splattered all over the place :-(

I'm glad to say that none of the systems have POP3 enabled - all IMAP for mail. But, as you say, getting the other options set seems to involve changes all over the place.

Quote
Talking with Terry and seeing if we can't try and get all this stuff in one place

Some other links.

qmail SSL/TLS - package in updates testing but no on/off switch yet.
https://bugs.contribs.org/show_bug.cgi?id=9349

https://wiki.contribs.org/Qpsmtpd:tls

https://wiki.contribs.org/DB_Variables_Configuration

Look for qpsmtpd ciphers
db configuration setprop qpsmtpd tlsCipher XXX

Bear with us and we'll see if we can't tidy some of this up a bit. Know any decent test sites?

Great, thanks. I've been using SME for quite a long time (first installed system was 7.1) and while I quite like some of the things Nethserver is doing, I'm much more familiar with SME and have built a lot of trust in it.

Re: Setting SME up for PCI-DSS compliance
« Reply #6 on: August 11, 2019, 03:08:53 AM »
Just tested my home one with this site and I passed basic PCI-DSS !

https://www.immuniweb.com/websec/

Probably a load of sites about so have a look

I'd not seen that site. Just tried it on a couple of systems (the one with the problem and a Nethserver system). Bot passed basic PCI-DSS. Unfortunately, that is only on http/https, doesn't cover the other ports. Certainly interesting to see what they're looking at.

Re: Setting SME up for PCI-DSS compliance
« Reply #7 on: August 11, 2019, 03:10:31 AM »
FYI I have set up a doc for me and Terry to make some notes and try and collate all the SSL/TLS settings in one place.

It might take a little while to do but we are on the case.

If you would like to chat about it and help out then let me know and I can add you as a user on our RocketChat instance that we use to batter a few ideas about.

That sounds great. Please do. I'm happy to help in any way I can, and would love to learn more about how the whole lot fits together...

Offline TerryF

  • grumpy old man
  • *
  • 1,358
Re: Setting SME up for PCI-DSS compliance
« Reply #8 on: August 11, 2019, 04:22:16 AM »
John is being nice :-), he and JP are doing the initial work, they need all and any help they can get...
--
qui scribit bis legit

Offline ReetP

  • *
  • 2,809
Re: Setting SME up for PCI-DSS compliance
« Reply #9 on: August 11, 2019, 12:14:54 PM »
Kk... I'll set an account later and mail you details to your gmail on your foro account.

I think the point is a lot of this IS about making cash. Expensive consultants & expensive solutions.

So they insist you use say SSL/TLS for email which is only as good as the next hop... because it could go through an unencrypted connection later + other issues and you'd never know (see discussions in foros about this), but then don't insist on PGP to encrypt the content.

There is zero reason to run http now beyond instant redirect to https.

Anyways, lets chat on Rocket... it's easier to thrash things about there.

I have a private gdoc I can share. Adding those test links will be good.

Speak soon.
« Last Edit: August 11, 2019, 01:25:18 PM by ReetP »
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 2,809
Re: Setting SME up for PCI-DSS compliance
« Reply #10 on: August 11, 2019, 01:24:59 PM »
Rocket done

There is a genenral SME chat channel and I have just setup a specific 'Discussion' for SSL

There is a gdoc with the link there - I can share it with you.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Re: Setting SME up for PCI-DSS compliance
« Reply #11 on: August 16, 2019, 12:46:39 PM »
Not what you want to hear, but I gave up trying to get SME to be accepted by their tests.
Found out, by sheer chance, that the customer can request a 3G version of the card reader! Problem solved, it then becomes the card readers problem!

Paul
Infamy, Infamy, they all have it in for me!

Offline ReetP

  • *
  • 2,809
Re: Setting SME up for PCI-DSS compliance
« Reply #12 on: August 16, 2019, 01:03:14 PM »
Always good to look at alternatives !

It is still a good exercise for us to look at the SSL stuff regardless though.

Just not enough time :-(
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Re: Setting SME up for PCI-DSS compliance
« Reply #13 on: August 18, 2019, 07:09:28 AM »
Not what you want to hear, but I gave up trying to get SME to be accepted by their tests.
Found out, by sheer chance, that the customer can request a 3G version of the card reader! Problem solved, it then becomes the card readers problem!

Paul

:) I can understand the frustration. Looked at using the card readers on the phone line - that would also sidestep the issue. I would really like to see SME able to handle this sort of thing though - if only to be able to stick my tongue out at Security Metrics...

At the moment, I'm playing telephone tag with one of their scan technicians, in the hope of finding out what they would recommend to do the job. So far, the only systems I've seen which claim PCI-DSS compliance are hosted systems, no use at all in this situation.


Offline ReetP

  • *
  • 2,809
Re: Setting SME up for PCI-DSS compliance
« Reply #14 on: April 25, 2020, 11:22:47 AM »
As a follow up, and following chats on RocketChat, we have some updated defaults we think will pass PCI-DSS compliance.

Big hat tip to Catton for his work.

We'll look at posting this and updating some defaults.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation