-   Linux - Server (
-   -   apache 2.2.3 / RHEL 5 / PCI Compliance / openssl (

sowell 12-08-2009 04:56 PM

apache 2.2.3 / RHEL 5 / PCI Compliance / openssl
I have been having extreme difficulties with apache disabling weak ciphers (namely 40-bit / 56-bit). I have issues the Directives in the ssl.conf file that are supposed to decline those ciphers, but for some reason its not doing the job I expected. Below is my ssl.conf configuration outlining the SSLProtocol and SSLCIpherSuite configurations I have tried:


#  SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect.  Disable SSLv2 access by default:
SSLProtocol -all +TLSv1 +SSLv3
# SSLProtocol -SSLv2 +TLSv1 +SSLv3
# SSLProtocol +TLSv1 +SSLv3

#  SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.

None of these configurations seem to disable SSLv2 (at all) or the Weak Ciphers, mainly what i believe to be EXPORT40 and EXPORT56 (40-bit and 56-bit respectively).

Every time I edited the ssl.conf I did restart the apache server, i even tried a stop/start. Also I have made sure that the httpd.conf file is including ssl.conf in its configuration.

Any help you guys can provide would be very appreciated.



UPDATE: Ive also tried the directions listed at, which recommended the following:

SSLProtocol all

This also does not appear to work.

cpplinux 12-09-2009 10:00 AM

Did you try this:
SSLProtocol all -SSLv2

sowell 12-09-2009 10:26 AM

I did. As a matter of fact, I wound up loading up the mod_info module last night based on some help I got from #httpd on and they couldnt figure it out either. It shows the lines in the module config and the directives it specifies are support by the server are the exact directives I have used in the config. In addition, I did make sure that the only instance of those directives was in the ssl.conf file.



All times are GMT -5. The time now is 06:51 PM.