Ping a Specific Port

Question

Roy

Asked: 2010-09-24 23:42:51 +0800 CST2010-09-24 23:42:51 +0800 CST 2010-09-24 23:42:51 +0800 CST

Apache mod_ssl configuration for PCI compliance

772

I need to ensure PCI compliance by limiting mod_ssl to SSLv3 and TLSv1, and ensuring long keys. I've tried the following configuration, but certain combinations of SSLv2 seems to still be valid:

SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM

What should the SSLCipherSuite configuration look like to completely disable SSLv2 and meet the PCI requirements?

3 Answers

Voted

Warner · Answer 1 · 2010-09-25T07:12:26+08:00

Best Answer

Warner

2010-09-25T07:12:26+08:002010-09-25T07:12:26+08:00

This is what I currently use for a PCI compliant Apache configuration:

SSLProtocol all -SSLv2
SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

3

Mat · Answer 2 · 2010-09-25T07:21:03+08:00

Mat

2010-09-25T07:21:03+08:002010-09-25T07:21:03+08:00

If you have Apache 2.0+ you can avoid the rewrite rules that Warner mentioned and replace them with just:

TraceEnable Off

3

Roy · Answer 3 · 2010-09-25T00:23:42+08:00

Roy

2010-09-25T00:23:42+08:002010-09-25T00:23:42+08:00

The protocols can be disabled with the SSLProtocol statement as such:

SSLProtocol -ALL +SSLv3 +TLSv1

1

Apache mod_ssl configuration for PCI compliance

Ping a Specific Port

How do I tell Git for Windows where to find my private RSA key?

How do you restart php-fpm?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Resolve host name from IP address

How can I sort du -h output by size

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?