5

I am working on trying to make sense of what is required for both PCI DSS compliance as well as FIPS compliance in relation to SSL/TLS cipher suites. I have been reading the guide here and here. However, I have not been able to find anything that states what order or priority I should list the ciphers in. I can see which ones I need to use and disable, but I assume that there is a priority that should be followed for them as well. This is primarily for Windows servers and then later I would look at performing the same to Linux servers running Apache.

John
  • 2,276
  • 7
  • 44
  • 60
  • Check out https://www.nartac.com/Products/IISCrypto/Default.aspx for a tool that will help you configure IIS to be PCI or FIPS compliant. From related question: http://serverfault.com/a/624857/33095 – Greg Bray Aug 29 '14 at 01:33

2 Answers2

2

It depends on the version of Windows/IIS. In 2003 (IIS 6) and earlier, this can't be done. You can only enable/disable ciphers. In Windows 2008 (IIS 7) and later, you can do this through a GPO (if you're domain joined, and I'm guessing this server isn't if it's PCI compliant).

More info here: http://technet.microsoft.com/en-us/library/cc766285(v=ws.10).aspx

John Homer
  • 1,313
  • 1
  • 10
  • 10
  • Thank you for the info and the link. Do you know what order I should put them in? – John Feb 22 '12 at 23:01
  • If PCI doesn't recommend a particular priority (and I believe Shane is correct when he says they don't below), then I wouldn't worry about it. The DSS spec is so airtight as it is, you shouldn't have any problems. – John Homer Feb 23 '12 at 15:34
2

Why would you assume that there's a priority needed?

No compliance standard that I've ever heard of has recommended a specific priority; after all, if a cipher's insecure, it should be turned off instead of just de-prioritized.

That said, preferring RC4 over CBC-constructed ciphers might be wise until TLS 1.1 is widely deployed; see CVE-2011-3389.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251