On 6/21/19 12:43 AM, Kihaguru Gathura wrote: > OpenBSD 6.5 (GENERIC.MP) #84: Wed Apr 17 05:53:43 MDT 2019 > > Hi, > > SSL compliance tests below refers. (htbridge) > > > 2:SUPPORTED CIPHERS > TLSv1.2 > TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Non-compliant with HIPAA guidance > TLS_RSA_WITH_CAMELL TLS_RSA_WITH_CAMELLIA_128_CBC_SHA Non-compliant > with HIPAA guidance > TLS_RSA_WITH_CAMELLIA_128_CBC_SHA Non-compliant with HIPAA guidance > > Under what circumstances could these ciphers be not considered for > HIPPA compliance?
They could be things that aren't on the list that was compiled ten years ago, they could be sub-optimal options that are still in widespread use today. You are asking the wrong people. Talk to your compliance people and/or auditors. Do what they tell you to do, it's easier than reasoning with them. Remember: Security is important for ethical reasons. Compliance is important for legal reasons. The key to workplace contentment is understanding they are unrelated to each other. Both are important, but one does not lead to the other. And audits go better when the auditor finds something to complain about and get you to change. Nick.
