PCI Compliance & Sweet32 vulnerability. RRS feed

  • Question

  • Recently our our PCI Compliance vendor is failing our Exchange 2013 server on port 25 & 443 for the Sweet32 vulnerability.

    Any input on mitigating the issue (without breaking mail flow) would be appreciated.

    below is the ciphers we are getting flagged for.

    Block cipher algorithms with block size of 64 bits (like DES and 3DES) birthday attack known as Sweet32
    Cipher Suite
    TLSv1 : DES-CBC3-SHA
    TLSv1_1 : DES-CBC3-SHA
    TLSv1_2 : DES-CBC3-SHA

    Thanks in advance!

    Monday, December 12, 2016 3:24 PM

All replies

  • We are getting the exact sames issue with our PCI Compliance on our Exchange. Did you ever figure out a solution? 
    Wednesday, March 15, 2017 2:18 PM
  • Same here.  Any suggestions?
    Thursday, March 30, 2017 6:35 PM
  • I am also now getting this issue with our asp.net web application running on azure cloud services. Any help or comments would be appreciated.


    Thursday, April 6, 2017 2:38 PM
  • One of the best tools for you to fix all of your issues regarding these is IISCrytpo.  It's a free tool from Nartac.

    It will allow you to save your current config as a template and then pick and choose the correct ciphers/hashes and suites to pass your test.

    They have templates configured for PCI and PCI 3.1 (turns off TLS 1.0 so don't use, yet) as well as Best Practices.  I used best practices template and then further removed 3des Ciphers and the 3des cipher suite.

    • Edited by Lascarius Thursday, April 13, 2017 3:04 PM
    • Proposed as answer by Lascarius Thursday, April 13, 2017 3:04 PM
    Thursday, April 13, 2017 3:03 PM