PCI Compliance Scan Certificate errors
12/30/2019 
588 
17786
DESCRIPTION:
This article shows some of the PCI Scan Certificate errors related to PCI Compliance and the explanation or the way to resolve them.
RESOLUTION:
Here's some of the errors:
- SSLv2 Supported
SonicWall UTM appliances do not support SSLv2. This error could be due to a device, like a webserver, behind the SonicWall using SSLv2. - SSL Weak Encryption Algorithms
This error could be due to a device, like a webserver, behind the SonicWall using less than 128 bit encryption. SonicWall UTM appliances support the following cipher-suites:
| Protocol Version | Cipher Suite | Encryption bit |
| SSLv3 | AES256-SHA | 256 |
| SSLv3 | DES-CBC3-SHA | 168 |
| SSLv3 | AES128-SHA | 128 |
| SSLv3 | RC4-MD5 | 128 |
| SSLv3 | RC4-SHA | 128 |
| TLSv1 | AES256-SHA | 256 |
| TLSv1 | DES-CBC3-SHA | 168 |
| TLSv1 | AES128-SHA | 128 |
| TLSv1 | RC4-MD5 | 128 |
| TLSv1 | RC4-SHA | 128 |
- SSL certificate is signed with weak hash function
All SonicWall devices with the latest SoniOS firmware, Gen4 and Gen5 - both SonicOS Standard and Enhanced - use SHA1 in the SonicWall self-signed certificate. This error could be due to a device behind the SonicWall using MD5.
If it is determined that this vulnerability is found in the SonicWall, then it could be due to importing a 3rd party certificate with a weak hash.
In rare cases a SonicWall self-signed certificate with the latest firmware could have MD5. In such cases the reason could be upgrading from an older firmware hasn't still made SonicWall use SHA1 hash. The suggested workaround would be to change the Certificate Common Name (CN) under System > Administration page and restart. This will force the SonicWall to re-generate the self-signed certificate and use SHA1.
- SSL Certificate is Self-Signed
All SonicWall UTM appliances have an inbuilt self-signed certificate. By default, this certificate is used for HTTPS web management. It is recommended to use a certificate signed by a third party Certificate Authority (CA) like Verisign or GoDaddy. Refer these articles on how to obtain certificates from a public CA, GoDaddy and Thawte as examples: - SSL Certificate is Not Trusted
This error occurs when the certificate in the HTTP web management or SSL VPN is signed by an unknown Certificate Authority (CA). In most cases this happens when the CA is private. For example, a Windows CA. Obtain a certificate signed by a public CA. - SSL Certificate has an IP Address as the Common Name
The certificate used in HTTP web management or SSL VPN has IP address instead of FQDN in Common Name (CN) field. Obtain a certificate with an FQDN as its CN or Subject Alternative Name. - Subject Common Name Does Not Match Server FQDN
Obtain a certificate whose Subject Common Name (CN) or Subject Alternative Name (SAN) matches the FQDN used to access it. For example, if the scan is being done using the FQDN www.example.com, the certificate must have its CN or SAN as www.example.com or *.example.com. - SSL Certificate - Signature Verification Failed Vulnerability
This error occurs when the certificate in the HTTP web management or SSL VPN is signed by an unknown Certificate Authority (CA). In most cases this happens when the CA is private. For example, a Windows CA. Obtain a certificate signed by a public CA.
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Capture Security applianceAdvanced Threat Protection for modern threat landscape
Network Security ManagerModern Security Management for today’s security landscape
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
