How to Disable Weak Ciphers and SSL 2.0 in Apache

In order for merchants to handle credit cards, the Payment Card Industry Data Security Standard (PCI-DSS) requires web sites to "use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks." That’s a pretty vague definition, but what is really means is that you must use SSL on your web site if your visitors are transferring their credit card numbers to your server. You also need to disable insecure protocols like SSL 2.0 and weak ciphers or you will fail a PCI compliance scan.

Strangely, most versions of Apache have SSL 2.0 enabled by default. If you have an Apache server, you can disable SSL 2.0 and disable weak ciphers by following these instructions. First, verify that you have weak ciphers or SSL 2.0 enabled. You can do this using a local OpenSSL command or by just entering your public domain name in at https://www.ssllabs.com/ssldb/index.html

Next, open your httpd.conf or ssl.conf file and search for the SSLCipherSuite directive. If you can’t find it anywhere, you can just add it, otherwise, replace it with the following:

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT

Apache Disable SSL 2.0 and Weak Ciphers

You can tweak the directive by following the mod_ssl documentation. Just make sure you verify that it will still pass a PCI scan by checking it at https://www.ssllabs.com/ssldb/index.html. Once you have the SSLCipherSuite directive entered, save the file and restart Apache to finish disabling SSL 2.0 and weak ciphers.

More resources:

 Digg  del.icio.us  Reddit

Posted on December 11, 2010
jeffrey
Posts: 3
Comment
RC4 should be disabled
Reply #3 on : Mon March 31, 2014, 19:57:18
RC4 is considered broken now.
Paul
Posts: 3
Comment
Disadvantages/Cons
Reply #2 on : Wed July 17, 2013, 12:23:00
Do you know what the disadvantages on older browsers (IE, Firefox, Chrome, Safari) when weak SSL Protocols and weak SSL Ciphers are disabled? Or the Cons? Thank you Paul
jekader
Posts: 3
Comment
thanks
Reply #1 on : Fri August 10, 2012, 01:18:51
thanks for the help, it really saving my time - just copy-pasted this into the apache config.

Write a comment


If you have trouble reading the code, click on the code itself to generate a new random code.
Security Code:
 
Post Comment