Welcome to the most active Linux Forum on the web.
Go Back > Forums > Linux Forums > Linux - Server
User Name
Linux - Server This forum is for the discussion of Linux Software used in a server related context.


  Search this Thread
Old 12-08-2009, 04:56 PM   #1
LQ Newbie
Registered: Jul 2007
Posts: 18

Rep: Reputation: 0
apache 2.2.3 / RHEL 5 / PCI Compliance / openssl

I have been having extreme difficulties with apache disabling weak ciphers (namely 40-bit / 56-bit). I have issues the Directives in the ssl.conf file that are supposed to decline those ciphers, but for some reason its not doing the job I expected. Below is my ssl.conf configuration outlining the SSLProtocol and SSLCIpherSuite configurations I have tried:

#   SSL Protocol support:
# List the enable protocol levels with which clients will be able to 
# connect.  Disable SSLv2 access by default:
SSLProtocol -all +TLSv1 +SSLv3
# SSLProtocol -SSLv2 +TLSv1 +SSLv3
# SSLProtocol +TLSv1 +SSLv3

#   SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
None of these configurations seem to disable SSLv2 (at all) or the Weak Ciphers, mainly what i believe to be EXPORT40 and EXPORT56 (40-bit and 56-bit respectively).

Every time I edited the ssl.conf I did restart the apache server, i even tried a stop/start. Also I have made sure that the httpd.conf file is including ssl.conf in its configuration.

Any help you guys can provide would be very appreciated.



UPDATE: Ive also tried the directions listed at, which recommended the following:

SSLProtocol all

This also does not appear to work.

Last edited by sowell; 12-08-2009 at 05:06 PM. Reason: update
Old 12-09-2009, 10:00 AM   #2
Registered: Dec 2009
Posts: 37

Rep: Reputation: 17
Did you try this:
SSLProtocol all -SSLv2
Old 12-09-2009, 10:26 AM   #3
LQ Newbie
Registered: Jul 2007
Posts: 18

Original Poster
Rep: Reputation: 0
I did. As a matter of fact, I wound up loading up the mod_info module last night based on some help I got from #httpd on and they couldnt figure it out either. It shows the lines in the module config and the directives it specifies are support by the server are the exact directives I have used in the config. In addition, I did make sure that the only instance of those directives was in the ssl.conf file.




Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Openssl 0.9.7d or newer for RHEL 4.4 legcard Linux - Security 7 11-05-2007 10:35 AM
Need openssl-0.9.8 RPM for RHEL 3.0 dheivan Linux - Enterprise 6 07-18-2007 10:36 AM
OpenSSL in RHEL (0.9.7.a) and the one I installed (0.9.7.g) Swakoo Linux - Newbie 1 07-19-2005 05:36 AM
OpenSSL Apache 2 RedHat 8 bfdlinux Linux - Security 2 07-25-2003 10:18 AM
Openssl and apache huno Linux - General 1 04-21-2003 03:06 PM

All times are GMT -5. The time now is 01:58 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration