The Payment Card Industry, including Visa and Mastercard, require banks, merchants and Member Service Providers to protect cardholder information by adhering to a strict set of security standards. The Payment Card Industry security standard (PCI) includes MasterCard's Site Data Protection (SDP) program and Visa's Cardholder Information Security Program (CISP).

Selecting the SSL and TLS ciphers and protocols used

To fully comply with the security standards outlined by the Payment Card Industry you will need to restrict the SSL ciphers and protocol versions that ZXTM allows clients to use:

1. Disabling Weak SSL3 Ciphers in ZXTM
2. Disabling SSL version 2 in ZXTM
3. Enabling TLS 1.0 and 1.1 in ZXTM
4. Disabling SSL2 in the Zeus Admin Interface
5. Disabling Weak SSL3 Ciphers in the Zeus Admin Interface

Disabling Weak SSL3 Ciphers in ZXTM

Navigate to:

SYSTEM > GLOBAL SETTINGS > SSL CONFIGURATION

Enter the below ciphers:

SSL_RSA_WITH_RC4_128_SHA:SSL_RSA_WITH_RC4_128_MD5:SSL_RSA_WITH_AES_256_CBC_SHA:
SSL_RSA_WITH_3DES_EDE_CBC_SHA:SSL_RSA_WITH_AES_128_CBC_SHA

Disabling SSL version 2 for client connections in ZXTM

Navigate to:

SYSTEM > GLOBAL SETTINGS > SSL CONFIGURATION

Disable the setting ssl!support_ssl2.

SSL version 2 has known weaknesses.

Enabling TLS 1.0 and 1.1 in ZXTM

Navigate to:

SYSTEM > GLOBAL SETTINGS > SSL CONFIGURATION

Enable the settings ssl!support_tls1 and ssl!support_tls1.1.

Disabling SSL2 in the Zeus Admin Interface

In $ZEUSHOME/admin/global.cfg enter:

tuning!support_ssl2 no

Disabling Weak SSL3 ciphers in the ZXTM Administrator Interface

In $ZEUSHOME/admin/global.cfg insert, on one continous line:

tuning!ssl3_ciphers
SSL_RSA_WITH_RC4_128_SHA:SSL_RSA_WITH_RC4_128_MD5:SSL_RSA_WITH_AES_256_CBC_SHA:
SSL_RSA_WITH_3DES_EDE_CBC_SHA:SSL_RSA_WITH_AES_128_CBC_SHA

Please remember to re-start your admin server.

We recommend using:

$ZEUSHOME/admin/rc restart

Chris Buckley [Zeus Support] 12 June 2006 3 comments