The PCI-DSS standards are designed to help protect card-holder data. The specific section we’re interested in is section 4.1 of the v1.2 revision of the standards which are available for download here: https://www.pcisecuritystandards.org/security_standards/pci_dss_download_agreement.html
The standards layout that you should use strong cryptography and security protocols when transmitting card data over open, public networks (ie the Internet).
If you want to secure any data sent over HTTPS you need to make sure the protocols and ciphers used are secure. In practice, this means disabling SSLv2 and weak ciphers. This has to be done at the SSL endpoint – so if you’re using a load balancer, firewall or similar to terminate your SSL connections you’ll need to make the changes there.
We can offer advice and resell SSL terminating end-points. We also work with open-source SSl terminating solutions such as Pound ( http://www.apsis.ch/pound/ ).
Use the SSLScan tool – http://sourceforge.net/projects/sslscan/
Use OpenSSL from the command line:
SSLv2
# openssl s_client -ssl2 -connect www.HOSTNAME.com:443
Weak ciphers
# openssl s_client -connect www.HOSTNAME.com:443 -cipher LOW:EXP
Apache 2.x:
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
Pound:
Ciphers "SSLv3:TLSv1:-LOW:-aNULL:-ADH:-EXP:-eNULL"
IIS:
(Unfortunately you have to edit the registry…)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128] "Enabled"=dword:0000000
You may also be interested to know that active CF community member Pete Freitag has created a commercial tool to help you make these changes in IIS – http://foundeo.com/products/iis-weak-ssl-ciphers/
Of course not everyone’s environment is straight-forward and often you’ll hit issues or knock-on effects – so get the experts in… we’re waiting!
A common consulting engagement for us is configuring a new system for optimal use. It’s not just the application server that’ll need configuring, don’t forget the application server relies on a lot of underlying infrastructure including the network and OS. Often this stage gets over-looked or you’ll (often incorrectly) assume your hosting provider will have performed these steps already.
Every application is different, there’s no golden rules but there are some simple steps you can take to improve performance, security & stability. For a typical web & application server machine let’s look at an example Linux setup. Here’s just the tip of the iceberg…
Making good progress? What about the network, firewall, loadbalancer, web server, JVM, application server, application code…. the list goes on – save yourself the headache, call the experts!
Have you noticed requests stop processing and your CPU usage is high?
There are many possible causes of this – a common one being using “Registry” as the CLIENT variable backing store.
Have you seen this combined with “java.lang.OutOfMemoryError: PermGen space” errors in your logs?
Again, there are several causes for filling the PermGen space but one common one is too many templates for the allotted space. The PermGen space stores information about classes. Behind the scenes of ColdFusion each CFM translates to a Java class. This means that if you have many templates used by your server, you’ll have lots of classes and use a lot of PermGen space. Remember this class information gets stored in the PermGen for the life of the server and is never unloaded!
Careful not to get confused with the CF administrator setting “Maximum number of cached templates” which are cached in the Heap space.
Well, I looked at an example with a very simple set of CFMs. I took 10,000 CFM templates containing the single line:
<cfset x = now() />
The mean average PermGen increase per template (after execution of course) was 2,677 bytes. This probably doesn’t sound like a lot but put this into practice on a live server with a real application and it only takes ~1,000-2,000 templates before you’re out of PermGen space and an unstable server.
Note: It’s not just CFMs that are Java classes behind the scenes, your CFC functions count too!