This article shows some of the PCI Scan Certificate errors related to PCI Compliance and the explanation or the way to resolve them.
Here's some of the errors:
Protocol Version | Cipher Suite | Encryption bit |
SSLv3 | AES256-SHA | 256 |
SSLv3 | DES-CBC3-SHA | 168 |
SSLv3 | AES128-SHA | 128 |
SSLv3 | RC4-MD5 | 128 |
SSLv3 | RC4-SHA | 128 |
TLSv1 | AES256-SHA | 256 |
TLSv1 | DES-CBC3-SHA | 168 |
TLSv1 | AES128-SHA | 128 |
TLSv1 | RC4-MD5 | 128 |
TLSv1 | RC4-SHA | 128 |
All SonicWall devices with the latest SoniOS firmware, Gen4 and Gen5 - both SonicOS Standard and Enhanced - use SHA1 in the SonicWall self-signed certificate. This error could be due to a device behind the SonicWall using MD5.
If it is determined that this vulnerability is found in the SonicWall, then it could be due to importing a 3rd party certificate with a weak hash.
In rare cases a SonicWall self-signed certificate with the latest firmware could have MD5. In such cases the reason could be upgrading from an older firmware hasn't still made SonicWall use SHA1 hash. The suggested workaround would be to change the Certificate Common Name (CN) under System > Administration page and restart. This will force the SonicWall to re-generate the self-signed certificate and use SHA1.
PCI Compliance scan fails the vulnerability test while accessing the IP address
Usually, the PCI compliance vulnerability test fails while accessing the IP address and the same PCI compliance vulnerability test passes while accessing anything with a domain name.
When the CSR is generated on SonicWALL, if the common name is set to domain, then the PCI compliance vulnerability test will only pass for domain and not the IP addresses.
So, as far as the cert is associated with the domain name, it will fail for the IP address which is the normal behavior.