HomeManaged ServicesServer AdministrationApache SSL PCI Compliance

1.2. Apache SSL PCI Compliance

SYMPTOMS:
PCI Compliance scans shows Apache is not PCI Compliant in the area of SSL

 

RESOLUTION:

Edit httpd.conf, httpd.conf.tmpl.custom, and check the various lserver et all Apache configuration files as appropriate to add/modify the following:

  SSLOptions +StrictRequire
  SSLProtocol -ALL +SSLv3 +TLSv1
  SSLCipherSuite ALL:!ADH:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Then restart Apache.

Testing that SSLv2 is Disabled

 openssl s_client -connect HOSTNAME:PORT -ssl2

If you receive the certificate and a ton of other lines, you still have SSLv2 enabled. Otherwise, if you receive anything like these you're fine:

CONNECTED(00000005)
write:errno=54

This page was: Helpful | Not Helpful