Disable ssl ver 2 in apache for pci compliance
January 23rd, 2010
You need to disable SSL ver 2 and enable SSL ver 3 in apache for PCI compliance. Its very easy to do. Following settings will set SSL ver 3 and also disable older/unsecure cipher suite in Redhat/centos/fedora Linux server:
1. Open /etc/httpd/conf.d/ssl.conf and add or if these lines already there, edit them as per follows:
## Disbale SSLv2 and enable SSLv3 SSLProtocol -All +SSLv3 +TLSv1 SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL
2. Reload httpd service to apply the new settings:
# /etc/init.d/httpd reload3. Verify the settings by connecting to SSL ver 3 protocol:
# openssl s_client -connect localhost:443 -ssl3It should connect. you can also try connecting to SSL ver 2 which should result in error. Request the PCI test again and it should not complain about Apache SSL related issues.