Buy from the highest-rated provider   Buy SSL.com Certificate x

How to Disable Weak Ciphers and SSL 2.0 and SSL 3.0 in Apache

In order for merchants to handle credit cards, the Payment Card Industry Data Security Standard (PCI-DSS) requires web sites to "use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks." That’s a pretty vague definition, but what is really means is that you must use SSL on your web site if your visitors are transferring their credit card numbers to your server. You also need to disable insecure protocols like SSL 2.0 and weak ciphers or you will fail a PCI compliance scan.

Strangely, most versions of Apache have SSL 2.0 enabled by default. If you have an Apache server, you can disable SSL 2.0 and disable weak ciphers by following these instructions. First, verify that you have weak ciphers or SSL 2.0 enabled. You can do this using a local OpenSSL command or by just entering your public domain name in at https://www.ssllabs.com/ssldb/index.html

Next, open your httpd.conf or ssl.conf file and search for the SSLCipherSuite directive. If you can’t find it anywhere, you can just add it, otherwise, replace it with the following:

SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off

# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)

Note: The reccomended ciphers change often so you may want to double-check the cipher list with another source.

You can tweak the directive by following the mod_ssl documentation. Just make sure you verify that it will still pass a PCI scan by checking it at https://www.ssllabs.com/ssldb/index.html. Once you have the SSLCipherSuite directive entered, save the file and restart Apache to finish disabling SSL 2.0 and weak ciphers.

More resources:

Originally posted on Sat Dec 11, 2010

Advertisement • Hide