Monday, 14 May 2018

PCI DSS woes

It's PCI DSS time again! Every three months, an external agent (in this case, Sysnet Global Solutions) has to check my Secure Server, to check whether some newly discovered insecurity has caused the need for an update.

So I submitted the URL for checking, and it came back "FAIL". That was the start of the nightmare.

The fail, apparently, was that one of the chain of certs (certificates) used SHA1, and SHA1 is no longer considered secure. The recommended answer was to get back to the vendor of my cert, Comodo, and get them to sort it out. So I did that.

First, I tried using their chat function. Using that, they sent me this cert and that, but each time, I got the FAIL.

Then I tried again, next day. First one new cert, then another, and so on, and eventually they gave up and told me to email.

So I emailed, and the email I got back said, "Don't worry, it's a false positive".

I wasn't happy with that, and phoned. Over a two hour transatlantic call, the Comodo tech and I tried this, that and the other. He even got me to edit the certs around; taking a piece out of one and another piece out of another. And still it failed.


I learned a lot. Apache thinks that there needs to be three certs:

SSLCertificateFile SSLCertificateChainFile and SSLCACertificateFile

Actually, you can combine one of more certs into a single file. And until I understood that, I was getting a lot of grief, because Comodo were only offering two files. The SSLCertificateFile which is the file for my server, and the other file, which combines SSLCACertificateFile and SSLCertificateChainFile.

It turns out, that the problem lies in  the root certificate. The signatures of those aren't actually checked, so it really doesn't matter if they use SHA1 or not. They are trusted according to their identity, not their hash. And it was the root cert of Comodo that was SHA1.

So I boldly decided to tell Sysnet that they were throwing a false positive. I backed that up with quotes from Google and Microsoft, explaining that a SHA1 at the root wasn't a problem, and I put a cherry on top in the form of "I notice that the Sysnet web site also uses SHA1 for the root server."

It worked. After a week of agony, I got my cert authorised, and the cream of the joke is that I could have got it authorised the first time I'd tested it, if it hadn't been for that false positive.

But some good came out of it. When the time comes for me to renew my cert with Comodo for £90 per year, I shall instead be using "", which is free, and gives me a cert that the PCI DSS is happy about - I know that, because that's what I'm using now!

No comments:

Post a Comment