Forum
Non-compliant with NIST, HIPAA and PCI DSS
Mike
14 June 2017, 11:47
Testing a Hiawatha hosted website with https://www.htbridge.com/ssl/ shows a warning:
While this is just compliance warning, I would like to disable <=192 EC ciphers.
The server supports elliptic curves that are considered weak.
Non-compliant with NIST, HIPAA and PCI DSS
SUPPORTED ELLIPTIC CURVES
List of all elliptic curves supported by the server:
P-192 (prime192v1) (192 bits) - Non-compliant with PCI DSS requirements
secp192k1 (192 bits) - Non-compliant with PCI DSS requirements
Non-compliant with NIST, HIPAA and PCI DSS
SUPPORTED ELLIPTIC CURVES
List of all elliptic curves supported by the server:
P-192 (prime192v1) (192 bits) - Non-compliant with PCI DSS requirements
secp192k1 (192 bits) - Non-compliant with PCI DSS requirements
While this is just compliance warning, I would like to disable <=192 EC ciphers.
Joe Schmoe
14 June 2017, 19:40
You should be able to modify the cipher suites yourself and recompile. Look at the tls.c file in the source code.
https://www.hiawatha-webserver.org/howto/compilation_and_installation
https://github.com/hsleisink/hiawatha
https://www.hiawatha-webserver.org/howto/compilation_and_installation
https://github.com/hsleisink/hiawatha
Mike
16 June 2017, 12:58
Thanks. I wonder if it makes sense to alter upstream source accordingly.
This topic has been closed.
Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.
Built upon the Banshee PHP framework.
