When performing a PCI scan, the test may be failing due to SWEET32 vulnerability with the following message:
Path: /TLS server supports short block sizes SWEET32 attack
Information From Target:
Server accepted TLS 1.1 64-bit block size cipher: TLS_RSA_WITH_3DES_EDE_CBC_SHA
- Kerio Control Webadmin
- Kerio Control via SSH
Log in to Kerio Control console via SSH.
- Make the system read/writeable by running the following command:
$ mount -o rw,remount /
- Open the following file:
- Find the table
<table name="SSL">and replace the
CipherListvariable with the following line:
As you can see,
-DES-CBC3-SHAwas added at the end.
- Save changes made to the file.
- Reboot Kerio Control using the command below:
Note: For better security, you can disable TLS v1.0 protocol.
PCI scan or SSL test is completed successfully.