-1

I was examining my httpd.conf file and in the old server, I had this and I was PCI compliant:

SSLProtocol -All +TLSv1.2

In the new server, I have this and I just received a scan compliance notification informing that I am not PCI compliant:

SSLProtocol TLSv1.2

I see that in the old server I had -All. Does it mean that if I only have SSLProtocol TLSv1.2, I am allowing TLS 1.0 connections just by not disabling it explicitly?

UPDATE 1: Nevermind, I do not require an answer anymore, it was all a confusion with the scan report referring to a wrong IP address, not the one that I needed to evaluate.

Jaime Montoya
  • 6,915
  • 14
  • 67
  • 103
  • What is defined for SSLProtocol in ssl.conf? This is where you want to define SSLProtocol in the default VirtualHost. – John Hanley Jun 10 '18 at 23:32
  • @JohnHanley Where can I find this ssl.conf file? – Jaime Montoya Jun 11 '18 at 16:32
  • Depends on your OS. Usually /etc/httpd. If your are working on PCI compliance take a few minutes to learn about the various Apache files. Then print them in a document as part of your compliance documentation. – John Hanley Jun 11 '18 at 16:42
  • @JohnHanley My operating system is `CentOS release 6.9` and had already examined the content of `/etc/apache2` and I do not find a `ssl.conf` file there. – Jaime Montoya Jun 11 '18 at 16:53
  • Is mod_ssl installed? https://wiki.centos.org/HowTos/Https – John Hanley Jun 11 '18 at 16:56
  • @JohnHanley Running ``, I see that my `Registered Stream Socket Transports` include `ssl, tls, tlsv1.0, tlsv1.1, tlsv1.2`. I am trying to disable TLS v1.0. My `SSL Version` is `OpenSSL/1.0.2o`. My `OpenSSL support` is `enabled` and my `OpenSSL Library Version` is `OpenSSL 1.0.2o 27 Mar 2018`. – Jaime Montoya Jun 11 '18 at 17:05
  • @JohnHanley I do see this file: `/etc/apache2/modules/mod_ssl.so`. – Jaime Montoya Jun 11 '18 at 17:14
  • Stop for a few minutes and figure out what you are doing. You leave out details and then we have to ask you piece by piece. If your goal is compliance, then understand what is configured and what changes need to be made. PCI Compliance is not passing an HTTPS test. It is fully understanding the security end-to-end for payment processing. I would delete this question and open a new one with all the details, configuration files, version numbers, etc. that we need to help you. – John Hanley Jun 11 '18 at 17:15
  • I ran `# apachectl -M` and yes I see `ssl_module (shared)`. SSL is installed, up and running correctly. People visit the site using https and everything is good. All I need is to disable TLS v1.0 because it is old and for PCI Compliance purposes. – Jaime Montoya Jun 11 '18 at 17:21

1 Answers1

0

Yvette Colomb (https://stackoverflow.com/users/3956566/yvette-colomb) deleted my answer stating this:

Please don't post identical answers to multiple questions. Instead, tailor the answer to the question asked. If the questions are exact duplicates of each other, please vote/flag to close instead.

So I am going to rephrase it: Nevermind, I do not require an answer anymore, it was all a confusion with the scan report referring to a wrong IP address, not the one that I needed to evaluate.

Jaime Montoya
  • 6,915
  • 14
  • 67
  • 103