We have just being chased by PCI Compliance about having vulnerabily that detected WEAK CIPHER support and TCP Timestamp being turned ON.
--Report say our application:
Negotiated with the following insecure cipher suites. SSLv3 ciphers:
TLS/SSL Server Supports Weak Cipher Algorithms
Configure the server to disable support for weak ciphers.
For Apache web servers with mod_ssl, edit the Apache configuration file and change the
SSLCipherSuite line to read:
I have looked at some article and there are a few ways to do that. We are using DEFAULT Cipher in our SSL Client Profile so do we just change that to
Replace DEFALUT with their suggested CIPHER
With TCP time stamp we have disabled this from the Application servers but it looks like this is turned ON in F5 for High Performance.
i normally see people using cipher string from this sol if there is no special requirement.
sol13171: Configuring the cipher strength for SSL profiles (11.x)
for tcp timestamp, is it this one?
TCP timestamp response
sol8072: Obtaining uptime information from TCP timestamps
Security through obscurity...
Anyway it looks like they added the option to disable this. In version 11.4.0 and up they seperated window scaling from timestamp for the high performance options in the TCP Profile.
Still not recomended to disable, but if you cannot accept the risk with PCI at least you have the option. Is this coming up in a formal audit, or just a security scan? I don't think PCI strictly states this option must be off, and thus it is open to each auditor/penetration test to decide. I'd push back on them, and use sol8072 above as suporting evidence.
After lots of trials and error the following strings works for me. Citrix web interface though worked with other strings but Citrix Receiver was taking tooo long to "negotiation capabilities" ; with below string - everything is within acceptable limits..