NGNIX, SSL Certificates and PC-DSSI 3.1

JasonGenX asked:

We are going to have to pass a PCI 3.1 audit for the web application we’re currently developing. It’s on Amazon EC2 running NGINX under Debian.

We’re in contact with Symantec for certificates and we’re particularly interested in the Secure Site Pro with EV one and the Wildcard one (we would have one server with dynamic sub-domain names and that’s why we’re thinking about the wildcard one)

I just wanted to make sure I’m not going to spend thousands of dollars and find out these aren’t adequate for PCI 3.1 or that someone the combination of NGINX and Debian is not going to be working for those types of certs.

Does anyone have experience with trying to be PCI-DSS 3.1 compliant that can give some advice as to which SSL certificates we should be getting?

My answer:

TL;DR: PCI-DSS 3.1 is effective immediately, but the requirement to disable TLS 1.0 and SSL 3 takes effect after 30 June 2016.

In most cases you should have already disabled SSL 3 months ago, or more, for the POODLE vulnerability. So that isn’t a concern.

The interesting part of this requirement is not being able to use TLS 1.0.

The official word is:

SSL and early TLS are not considered strong cryptography and cannot be used as a security control after 30th June, 2016. Prior to this
date, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place. Effective
immediately, new implementations must not use SSL or early TLS. POS POI terminals (and the SSL/TLS termination points to which they
connect) that can be verified as not being susceptible to any known exploits for SSL and early TLS, may continue using these as a security
control after 30th June, 2016.

Migrating from SSL and Early TLS, PCI-DSS Information Supplement

Where “early TLS” is defined as TLS 1.0. Only TLS 1.1 and 1.2 will be permitted, and 1.2 is strongly recommended.

While you will still be allowed to use TLS 1.0 and SSL 3 for point of sale devices and their backends, provided you can prove you’ve mitigated every possible problem, you should strongly consider updating these as well.

As an aside, this is yet another nail in Windows XP’s coffin…

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.