How to Disable Weak Ciphers and SSL 2.0 and SSL 3.0 in Apache
In order for merchants to handle credit cards, the Payment Card Industry Data Security Standard (PCI-DSS) requires web sites to "use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks." That’s a pretty vague definition, but what is really means is that you must use SSL on your web site if your visitors are transferring their credit card numbers to your server. You also need to disable insecure protocols like SSL 2.0 and weak ciphers or you will fail a PCI compliance scan.
Strangely, most versions of Apache have SSL 2.0 enabled by default. If you have an Apache server, you can disable SSL 2.0 and disable weak ciphers by following these instructions. First, verify that you have weak ciphers or SSL 2.0 enabled. You can do this using a local OpenSSL command or by just entering your public domain name in at https://www.ssllabs.com/ssldb/index.html
Next, open your httpd.conf or ssl.conf file and search for the SSLCipherSuite directive. If you can’t find it anywhere, you can just add it, otherwise, replace it with the following:
SSLProtocol all -SSLv2 -SSLv3
# OCSP Stapling, only in httpd 2.3.3 and later
Note: The reccomended ciphers change often so you may want to double-check the cipher list with another source.
You can tweak the directive by following the mod_ssl documentation. Just make sure you verify that it will still pass a PCI scan by checking it at https://www.ssllabs.com/ssldb/index.html. Once you have the SSLCipherSuite directive entered, save the file and restart Apache to finish disabling SSL 2.0 and weak ciphers.
- mod_ssl documentation for disabling SSL 2.0 and weak ciphers
- How to Disable SSL 2.0 in IIS 7
- Mozilla SSL Configuration Generator
Originally posted on Sat Dec 11, 2010