LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   apache 2.2.3 / RHEL 5 / PCI Compliance / openssl (https://www.linuxquestions.org/questions/linux-server-73/apache-2-2-3-rhel-5-pci-compliance-openssl-774310/)

sowell 12-08-2009 03:56 PM
apache 2.2.3 / RHEL 5 / PCI Compliance / openssl
 
I have been having extreme difficulties with apache disabling weak ciphers (namely 40-bit / 56-bit). I have issues the Directives in the ssl.conf file that are supposed to decline those ciphers, but for some reason its not doing the job I expected. Below is my ssl.conf configuration outlining the SSLProtocol and SSLCIpherSuite configurations I have tried:

Code:
#  SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect.  Disable SSLv2 access by default:
SSLProtocol -all +TLSv1 +SSLv3
# SSLProtocol -SSLv2 +TLSv1 +SSLv3
# SSLProtocol +TLSv1 +SSLv3


#  SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
#  SSLCipherSuite HIGH:MEDIUM:!SSLv2:@STRENGTH
SSLCipherSuite HIGH:!SSLv2:!EXPORT:!LOW:!MEDIUM
# SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:HIGH:MEDIUM:!LOW
#SSLCipherSuite !ALL:HIGH:!MEDIUM:!aNULL:!eNULL:!LOW:!EXP:!EXPORT40:!EXPORT56
None of these configurations seem to disable SSLv2 (at all) or the Weak Ciphers, mainly what i believe to be EXPORT40 and EXPORT56 (40-bit and 56-bit respectively).

Every time I edited the ssl.conf I did restart the apache server, i even tried a stop/start. Also I have made sure that the httpd.conf file is including ssl.conf in its configuration.

Any help you guys can provide would be very appreciated.

Thanks.

Sol

UPDATE: Ive also tried the directions listed at http://httpd.apache.org/docs/2.2/ssl...tml#onlystrong, which recommended the following:

SSLProtocol all
SSLCipherSuite HIGH:MEDIUM

This also does not appear to work.

cpplinux 12-09-2009 09:00 AM
Did you try this:
SSLProtocol all -SSLv2

http://www.modssl.org/docs/2.7/ssl_reference.html#ToC8

sowell 12-09-2009 09:26 AM
I did. As a matter of fact, I wound up loading up the mod_info module last night based on some help I got from #httpd on freenode.net and they couldnt figure it out either. It shows the lines in the module config and the directives it specifies are support by the server are the exact directives I have used in the config. In addition, I did make sure that the only instance of those directives was in the ssl.conf file.

Thanks.

Sol


All times are GMT -5. The time now is 03:30 AM.