PCI Compliance Scan Certificate errors

12/30/2019 690 19498

DESCRIPTION:

This article shows some of the PCI Scan Certificate errors related to PCI Compliance and the explanation or the way to resolve them.

RESOLUTION:

Here's some of the errors:

• SSLv2 Supported
  SonicWall UTM appliances do not support SSLv2.  This error could be due to a device, like a webserver, behind the SonicWall using SSLv2.
• SSL Weak Encryption Algorithms
  This error could be due to a device, like a webserver, behind the SonicWall using less than 128 bit encryption. SonicWall UTM appliances support the following cipher-suites:

• SSL certificate is signed with weak hash function

All SonicWall devices with the latest SoniOS firmware, Gen4 and Gen5 - both SonicOS Standard and Enhanced - use SHA1 in the SonicWall self-signed certificate. This error could be due to a device behind the SonicWall using MD5.

If it is determined that this vulnerability is found in the SonicWall, then it could be due to importing a 3rd party certificate with a weak hash.

In rare cases a SonicWall self-signed certificate with the latest firmware could have MD5. In such cases the reason could be upgrading from an older firmware hasn't still made SonicWall use SHA1 hash. The suggested workaround would be to change the Certificate Common Name (CN) under System > Administration page and restart. This will force the SonicWall to re-generate the self-signed certificate and use SHA1.

• SSL Certificate is Self-Signed
  
  All SonicWall UTM appliances have an inbuilt self-signed certificate. By default, this certificate is used for HTTPS web management. It is recommended to use a certificate signed by a third party Certificate Authority (CA) like Verisign or GoDaddy. Refer these articles on how to obtain certificates from a public CA, GoDaddy and Thawte as examples:
  • Installing GoDaddy Certificate in SonicWall UTM device
  • How to Request and Import a Signed Certificate from Thawte
• SSL Certificate is Not Trusted
  
  This error occurs when the certificate in the HTTP web management or SSL VPN is signed by an unknown Certificate Authority (CA). In most cases this happens when the CA is private. For example, a Windows CA. Obtain a certificate signed by a public CA.
• SSL Certificate has an IP Address as the Common Name
  
  The certificate used in HTTP web management or SSL VPN has IP address instead of FQDN in Common Name (CN) field. Obtain a certificate with an FQDN as its CN or Subject Alternative Name. 
• Subject Common Name Does Not Match Server FQDN
  
  Obtain a certificate whose Subject Common Name (CN) or Subject Alternative Name (SAN) matches the FQDN used to access it. For example, if the scan is being done using the FQDN www.example.com, the certificate must have its CN or SAN as www.example.com or *.example.com.
• SSL Certificate - Signature Verification Failed Vulnerability

This error occurs when the certificate in the HTTP web management or SSL VPN is signed by an unknown Certificate Authority (CA). In most cases this happens when the CA is private. For example, a Windows CA. Obtain a certificate signed by a public CA.