3

I need to ensure PCI compliance by limiting mod_ssl to SSLv3 and TLSv1, and ensuring long keys. I've tried the following configuration, but certain combinations of SSLv2 seems to still be valid:

SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM

What should the SSLCipherSuite configuration look like to completely disable SSLv2 and meet the PCI requirements?

CodesInChaos
  • 143
  • 7
Roy
  • 4,376
  • 4
  • 36
  • 53

3 Answers3

3

This is what I currently use for a PCI compliant Apache configuration:

SSLProtocol all -SSLv2
SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
Warner
  • 23,756
  • 2
  • 59
  • 69
  • The userdir module also needs to be disabled. It seems to be loaded by default on Ubuntu and Debian. – Roy Sep 24 '10 at 17:42
  • As noted by Mat, the rewrite rules can be replaced with "TraceEnable Off" on Apache 2.x – Roy Sep 24 '10 at 17:47
  • Would it be better to disable all and specifically enable TLSv1 and SSLv3, rather than enable all and disable SSLv2? – Roy Sep 24 '10 at 17:48
  • Same difference. http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslprotocol You could argue disable all would be a better approach. However, new protocols are likely to be more secure rather than less. – Warner Sep 24 '10 at 17:57
3

If you have Apache 2.0+ you can avoid the rewrite rules that Warner mentioned and replace them with just:

TraceEnable Off
Mat
  • 306
  • 1
  • 2
1

The protocols can be disabled with the SSLProtocol statement as such:

SSLProtocol -ALL +SSLv3 +TLSv1
Roy
  • 4,376
  • 4
  • 36
  • 53