Disable ssl ver 2 in apache for pci compliance

by jagbir on January 23, 2010

You need to disable SSL ver 2 and enable SSL ver 3 in apache for PCI compliance. Its very easy to do. Following settings will set SSL ver 3 and also disable older/unsecure cipher suite in Redhat/centos/fedora Linux server:
1. Open /etc/httpd/conf.d/ssl.conf and add or if these lines already there, edit them as per follows:

## Disbale SSLv2 and enable SSLv3
SSLProtocol -All +SSLv3 +TLSv1

2. Reload httpd service to apply the new settings:

# /etc/init.d/httpd reload

3. Verify the settings by connecting to SSL ver 3 protocol:

# openssl s_client -connect localhost:443 -ssl3

It should connect. you can also try connecting to SSL ver 2 which should result in error. Request the PCI test again and it should not complain about Apache SSL related issues.

Previous post:

Next post: