I submitted my LAMP server (redhat os) for two PCI compliance scans. The first scan resulted in 3 SSL errors. They were:
- SSL Server Supports Weak Encryption for SSLv3, TLSv1
- SSL Server Supports Weak MAC Algorithm for SSLv3, TLSv1
- SSL Server Supports CBC Ciphers for SSLv3, TLSv1
The PCI scan report suggested some solutions, which I took in creating a SSLCipherSuite to address the issue. This is the resulting SSLCipherSuite
SSLCipherSuite ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:!MD5:!IDEA-CBC-SHA:!IDEA-CBC-MD5:!RC2-CBC-MD5:!DES-CBC-SHA:!DES-CBC-MD5:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC2-CBC-MD5:!ADH-DES-CBC-SHA:!EDH-RSA-DES-CBC-SHA:!EDH-DSS-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-EDH-DSS-DES-CBC-SHA:!EXP-ADH-DES-CBC-SHA
However, this SSLCipherSuite still failed issue 3. The operator of the PCI Scan emailed me afterwards saying that i have to remove anything CBC based (such as DES). The operator said he's frequently seen leaving RC4-AES as the available cipher as an acceptable solution.
So I took his suggestion and tried
SSLCipherSuite !ALL:RC4-AES
But this caused an error with apache and it wouldn't start up again. What is the correct directive to do as the operator suggest?
Answer
I think he meant RC4-SHA, as RC4-AES is invalid (and contradictory). Try that.
Oh, and don't do SSLCipherSuite !ALL:RC4-SHA, as that bans the RC4-SHA that you're trying to enable. Just do SSLCipherSuite RC4-SHA.
No comments:
Post a Comment