Forum Discussion

natesmith317_18's avatar
natesmith317_18
Icon for Nimbostratus rankNimbostratus
Dec 02, 2015

PCI Cipher Set

Can someone provide a good LTM client cipher set that would pass PCI ASV as well as support as many browsers as possible? I know no one can support IE 6-10 due to it not having TLS 1.2 and still be P...
  • Hannes_Rapp_162's avatar
    Dec 03, 2015

    Good morning,

    I've read that CBC in combination with TLS1.2 is OK to use in case of PCI DSS 3.1 which will be enforced June 2016. Furthermore, our apps that process Visa and Mastercard payments were PCI-passed just this year with the same string I gave you initially. Without any changes, this will also pass the PCI DSS audit in June 2016. Can you specify which PCI version your scanner is using as the basis? I think youre too much ahead of the time, and those rules are probably not yet enforced at this point. Please clarify if you believe I'm not correct on that.

    Nevertheless, to meet the requirements of your scanner, I've come to this string. Give it a try 🙂

     tmm --clientciphers 'ALL:!EXPORT:!RC4:!DES:!ADH:!EDH:!SSLv3:!TLSv1:!SHA1'
           ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX
     0: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM  SHA384  ECDHE_RSA
     1: 49196  ECDHE-ECDSA-AES256-GCM-SHA384    256  TLS1.2  Native  AES-GCM  SHA384  ECDHE_ECDSA
     2: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES     SHA384  ECDHE_RSA
     3: 49188  ECDHE-ECDSA-AES256-SHA384        256  TLS1.2  Native  AES     SHA384  ECDHE_ECDSA
     4:   163  DHE-DSS-AES256-GCM-SHA384        256  TLS1.2  Native  AES-GCM  SHA384  DHE/DSS
     5:   106  DHE-DSS-AES256-SHA256            256  TLS1.2  Native  AES     SHA256  DHE/DSS
     6: 49202  ECDH-RSA-AES256-GCM-SHA384       256  TLS1.2  Native  AES-GCM  SHA384  ECDH_RSA
     7: 49198  ECDH-ECDSA-AES256-GCM-SHA384     256  TLS1.2  Native  AES-GCM  SHA384  ECDH_ECDSA
     8: 49194  ECDH-RSA-AES256-SHA384           256  TLS1.2  Native  AES     SHA384  ECDH_RSA
     9: 49190  ECDH-ECDSA-AES256-SHA384         256  TLS1.2  Native  AES     SHA384  ECDH_ECDSA
    10:   157  AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM  SHA384  RSA
    11:    61  AES256-SHA256                    256  TLS1.2  Native  AES     SHA256  RSA
    12: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM  SHA256  ECDHE_RSA
    13: 49195  ECDHE-ECDSA-AES128-GCM-SHA256    128  TLS1.2  Native  AES-GCM  SHA256  ECDHE_ECDSA
    14: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES     SHA256  ECDHE_RSA
    15: 49187  ECDHE-ECDSA-AES128-SHA256        128  TLS1.2  Native  AES     SHA256  ECDHE_ECDSA
    16:   162  DHE-DSS-AES128-GCM-SHA256        128  TLS1.2  Native  AES-GCM  SHA256  DHE/DSS
    17:    64  DHE-DSS-AES128-SHA256            128  TLS1.2  Native  AES     SHA256  DHE/DSS
    18: 49201  ECDH-RSA-AES128-GCM-SHA256       128  TLS1.2  Native  AES-GCM  SHA256  ECDH_RSA
    19: 49197  ECDH-ECDSA-AES128-GCM-SHA256     128  TLS1.2  Native  AES-GCM  SHA256  ECDH_ECDSA
    20: 49193  ECDH-RSA-AES128-SHA256           128  TLS1.2  Native  AES     SHA256  ECDH_RSA
    21: 49189  ECDH-ECDSA-AES128-SHA256         128  TLS1.2  Native  AES     SHA256  ECDH_ECDSA
    22:   156  AES128-GCM-SHA256                128  TLS1.2  Native  AES-GCM  SHA256  RSA
    23:    60  AES128-SHA256                    128  TLS1.2  Native  AES     SHA256  RSA