Disable Apache2 weak and medium ciphers for PCI compliance

A few days ago we had an external vulnerability scan by an Approved Scanning Vendor (ASV) to pass PCI DSS, in the report we saw these two vulnerabilities also reported by our Nessus scan:

The remote service supports the use of medium strength SSL ciphers:

The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits.

Nessus ID: 42873

The remote service supports the use of weak SSL ciphers:

The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all.

Nessus ID: 26928

To fix this, you just have to change the apache2 ssl configuration as follows:

  SSLProtocol -all +SSLv3 +TLSv1
  SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

After this change, restart the Apache webserver and run Nessus again. The warnings on those two vulnerabilities should now disappear.

This entry was posted in linux, security and tagged , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>