USA: (978) 496-9990
Germany: +49 7031 221461
UK: +44 207 193 1212

Payment Card Industry – Data Security Standards (PCI-DSS) and HTTPS SSL/TLS Connections

The PCI-DSS standards are designed to help protect card-holder data. The specific section we’re interested in is section 4.1 of the v1.2 revision of the standards which are available for download here: https://www.pcisecuritystandards.org/security_standards/pci_dss_download_agreement.html

The standards layout that you should use strong cryptography and security protocols when transmitting card data over open, public networks (ie the Internet).

If you want to secure any data sent over HTTPS you need to make sure the protocols and ciphers used are secure. In practice, this means disabling SSLv2 and weak ciphers. This has to be done at the SSL endpoint – so if you’re using a load balancer, firewall or similar to terminate your SSL connections you’ll need to make the changes there.

We can offer advice and resell SSL terminating end-points. We also work with open-source SSl terminating solutions such as Pound ( http://www.apsis.ch/pound/ ).

How To Check

Use the SSLScan tool – http://sourceforge.net/projects/sslscan/

Use OpenSSL from the command line:

SSLv2

# openssl s_client -ssl2 -connect www.HOSTNAME.com:443

Weak ciphers

# openssl s_client -connect www.HOSTNAME.com:443 -cipher LOW:EXP

How to Fix

Apache 2.x:

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Pound:

Ciphers "SSLv3:TLSv1:-LOW:-aNULL:-ADH:-EXP:-eNULL"

IIS:

(Unfortunately you have to edit the registry…)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
"Enabled"=dword:0000000

You may also be interested to know that active CF community member Pete Freitag has created a commercial tool to help you make these changes in IIS – http://foundeo.com/products/iis-weak-ssl-ciphers/

Of course not everyone’s environment is straight-forward and often you’ll hit issues or knock-on effects – so get the experts in… we’re waiting!

New system configuration – It’s not just the application server!

A common consulting engagement for us is configuring a new system for optimal use. It’s not just the application server that’ll need configuring, don’t forget the application server relies on a lot of underlying infrastructure including the network and OS. Often this stage gets over-looked or you’ll (often incorrectly) assume your hosting provider will have performed these steps already.

Every application is different, there’s no golden rules but there are some simple steps you can take to improve performance, security & stability. For a typical web & application server machine let’s look at an example Linux setup. Here’s just the tip of the iceberg…

Tune TCP/IP Kernel Parameters

  • Disable response to ICMP Echo broadcasts
    • net.ipv4.icmp_echo_ignore_broadcasts = 1
  • Filter packets not meant for this network.
    • net.ipv4.conf.eth0.rp_filter=1
    • net.ipv4.conf.lo.rp_filter=1
    • net.ipv4.conf.default.rp_filter=1
    • net.ipv4.conf.all.rp_filter=1
  • Set buffer TCP buffer MAX limits
    • net.core.rmem_max = 16777216
    • net.core.wmem_max = 16777216
  • Increase Linux autotuning TCP buffer limits (min, default, and max number of bytes to use)
    • net.ipv4.tcp_rmem = 4096 10000000 16777216
    • net.ipv4.tcp_wmem = 4096 65536 16777216
  • Disable IP spoofing
    • net.ipv4.conf.eth0.accept_source_route=0
    • net.ipv4.conf.lo.accept_source_route=0
    • net.ipv4.conf.default.accept_source_route=0
    • net.ipv4.conf.all.accept_source_route=0
  • TIME_WAIT sockets for new connections can be reused. This helps on any server that receives many connections at the same time.
    • net.ipv4.tcp_tw_reuse=1
    • net.ipv4.tcp_fin_timeout=30
  • Move keepalive from 2hrs to 30 min. (May want to tune this up or down)
    • net.ipv4.tcp_keepalive_time=1800
  • Help protect from denial-of-service (syn-flood) attack:
    • net.ipv4.tcp_max_syn_backlog=4096
  • Allow redirects from trusted sources (pick only trusted sources)
    • net.ipv4.conf.eth0.secure_redirects=1
    • net.ipv4.conf.lo.secure_redirects=1
    • net.ipv4.conf.default.secure_redirects=1
    • net.ipv4.conf.all.secure_redirects=1
  • Don’t allow ICMP redirects (pick only un-trusted sources)
    • net.ipv4.conf.eth0.accept_redirects=0
    • net.ipv4.conf.lo.accept_redirects=0
    • net.ipv4.conf.default.accept_redirects=0
    • net.ipv4.conf.all.accept_redirects=0
  • Do not send redirects (we’re not acting as a router)
    • net.ipv4.conf.eth0.send_redirects=0
    • net.ipv4.conf.lo.send_redirects=0
    • net.ipv4.conf.default.send_redirects=0
    • net.ipv4.conf.all.send_redirects=0

Tune User Security Limit Parameters

  • Define “soft” & “hard” limits for max open file handles for all users
    • * soft nofile 20000
    • * hard nofile 20000
  • Define “soft” & “hard” limits for max concurrent processes for all users
    • * soft nproc 8192
    • * hard nproc 8192

What’s Next?!

Making good progress? What about the network, firewall, loadbalancer, web server, JVM, application server, application code…. the list goes on – save yourself the headache, call the experts!

JVM PermGen memory usage with many CFM templates

Have you noticed requests stop processing and your CPU usage is high?

There are many possible causes of this – a common one being using “Registry” as the CLIENT variable backing store.

Have you seen this combined with “java.lang.OutOfMemoryError: PermGen space” errors in your logs?

Again, there are several causes for filling the PermGen space but one common one is too many templates for the allotted space. The PermGen space stores information about classes. Behind the scenes of ColdFusion each CFM translates to a Java class. This means that if you have many templates used by your server, you’ll have lots of classes and use a lot of PermGen space. Remember this class information gets stored in the PermGen for the life of the server and is never unloaded!

Careful not to get confused with the CF administrator setting “Maximum number of cached templates” which are cached in the Heap space.

So, how many is too many?

Well, I looked at an example with a very simple set of CFMs. I took 10,000 CFM templates containing the single line:

<cfset x = now() />

The mean average PermGen increase per template (after execution of course) was 2,677 bytes. This probably doesn’t sound like a lot but put this into practice on a live server with a real application and it only takes ~1,000-2,000 templates before you’re out of PermGen space and an unstable server.

Note: It’s not just CFMs that are Java classes behind the scenes, your CFC functions count too!