PCI compliance scanning reports DES ciphers enabled even after using pci_compliance_resolver utility


2017-07-25 09:57:04 UTC


2017-08-16 15:46:15 UTC


Was this article helpful?

Have more questions?

Submit a request

PCI compliance scanning reports DES ciphers enabled even after using pci_compliance_resolver utility

Applicable to:

  • Plesk Onyx for Linux


PCI compliance scanner reports about DES ciphers enabled even after pci_compliance_resolver utility was run to enable PCI compliance mode.

Trustwave scanning reports the following:

This is a cipher vulnerability, not limited to any specific SSL/TLS software
implementation. DES and Tripple DES (3DES) block ciphers with a block size
of 64 bits, have a birthday bound of approximately 4 billion blocks (or 2 to
the power of 32, hence the name of this vulnerability). A man-in-the-middle
(MitM) attacker, who is able to capture a large amount of encrypted network
traffic, can recover sensitive plain text data.

NOTE: Cipher block size must not be confused with key length. DES / 3DES
ciphers are vulnerable because they always operate on 64 bit blocks
regardless of the key length. If this vulnerability is detected, and in the
list of detected ciphers you see only entries with numbers different than 64
(eg. TLSv1 112 bits ECDHE-RSA-DES-CBC3-SHA), the detection is still valid,
because '112 bits' is the key length.

This issue can by avoided by disabling block ciphers of 64 bit block length
(like DES/3DES) in all the SSL/TLS servers. Exact procedure depends on the
actual implementation. Please refer to the documentation of your SSL/TLS
server software and actual service software (http server, mail server, etc).

On CentOS, rpm utility shows that the DES issue was fixed in the installed package:

# rpm -q --changelog openssl | grep CVE-2016-2183
- mitigate CVE-2016-2183 - degrade all 64bit block ciphers and RC4 to 


The corresponding vulnerability CVE-2016-2183 was fixed in the year 2016 in the following packages:

For CentOS/RedHat :


For Debian :


For Ubuntu 14.04 :


For Ubuntu 16.04 :



Contact Trustwave support regarding the probable false positive.

Have more questions? Submit a request
Please sign in to leave a comment.