How to Disable Weak Ciphers and SSL 2.0 in Apache

In order for merchants to handle credit cards, the Payment Card Industry Data Security Standard (PCI-DSS) requires web sites to "use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks." That’s a pretty vague definition, but what is really means is that you must use SSL on your web site if your visitors are transferring their credit card numbers to your server. You also need to disable insecure protocols like SSL 2.0 and weak ciphers or you will fail a PCI compliance scan.

Strangely, most versions of Apache have SSL 2.0 enabled by default. If you have an Apache server, you can disable SSL 2.0 and disable weak ciphers by following these instructions. First, verify that you have weak ciphers or SSL 2.0 enabled. You can do this using a local OpenSSL command or by just entering your public domain name in at https://www.ssllabs.com/ssldb/index.html

Next, open your httpd.conf or ssl.conf file and search for the SSLCipherSuite directive. If you can’t find it anywhere, you can just add it, otherwise, replace it with the following:

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT

Apache Disable SSL 2.0 and Weak Ciphers

You can tweak the directive by following the mod_ssl documentation. Just make sure you verify that it will still pass a PCI scan by checking it at https://www.ssllabs.com/ssldb/index.html. Once you have the SSLCipherSuite directive entered, save the file and restart Apache to finish disabling SSL 2.0 and weak ciphers.

More resources:

Originally posted on Sat Dec 11, 2010

Comments (3)

  1. jeffrey:
    Mar 31, 2014 at 05:57 PM

    RC4 is considered broken now.

  2. Paul:
    Jul 17, 2013 at 10:23 AM

    Do you know what the disadvantages on older browsers (IE, Firefox, Chrome, Safari) when weak SSL Protocols and weak SSL Ciphers are disabled? Or the Cons? Thank you Paul

  3. jekader:
    Aug 09, 2012 at 11:18 PM

    thanks for the help, it really saving my time - just copy-pasted this into the apache config.





Allowed tags: <b><i><br>Add a new comment: