apache 2.2.3 / RHEL 5 / PCI Compliance / openssl
I have been having extreme difficulties with apache disabling weak ciphers (namely 40-bit / 56-bit). I have issues the Directives in the ssl.conf file that are supposed to decline those ciphers, but for some reason its not doing the job I expected. Below is my ssl.conf configuration outlining the SSLProtocol and SSLCIpherSuite configurations I have tried:
Every time I edited the ssl.conf I did restart the apache server, i even tried a stop/start. Also I have made sure that the httpd.conf file is including ssl.conf in its configuration.
Any help you guys can provide would be very appreciated.
UPDATE: Ive also tried the directions listed at http://httpd.apache.org/docs/2.2/ssl...tml#onlystrong, which recommended the following:
This also does not appear to work.
Did you try this:
SSLProtocol all -SSLv2
I did. As a matter of fact, I wound up loading up the mod_info module last night based on some help I got from #httpd on freenode.net and they couldnt figure it out either. It shows the lines in the module config and the directives it specifies are support by the server are the exact directives I have used in the config. In addition, I did make sure that the only instance of those directives was in the ssl.conf file.
|All times are GMT -5. The time now is 09:19 AM.|