« Apache CouchDB 0.8.1-incubating released | Main | load-balancing with mod_jk or mod_proxy: lbfactor »


Apache Configuration and PCI Compliance - Configuration Change #2

In the first article, I talked about the importance of setting ServerTokens to Prod on your production facing servers in order to ward off unwanted attention from the PCI scan. Another area that you should focus on is your SSL server settings. A base SSL configuration in Apache is going to result in at least 4 (and maybe more) different vulnerabilities, even if you are running the latest and greatest version of apache and mod_ssl. This is because a base SSL config enables support for things that scanners and pci compliance officers love to alert on: SSLv2, Null Ciphers and Weak Ciphers.

In addition to setting ServerTokens to Prod, set your SSLProtocol and SSLCiphers directives in your SSL configuration section to the following:

SSLProtocol -ALL +SSLv3 +TLSv1

This will do several things. It will disable SSLv2. It will disable Null Ciphers. It will disable Weak (<128-bit encryption) ciphers. It will prevent the scanner from tagging you with the following vulnerabilities:

SSL Server Supports Weak Encryption

SSL Server Allows Cleartext Encryption

SSL Server May Be Forced to Use Weak Encryption

SSL Server Allows Anonymous Authentication


In my opinion, 4 less vulnerabilities to worry about per site is a great thing.


TrackBack URL for this entry:

Listed below are links to weblogs that reference Apache Configuration and PCI Compliance - Configuration Change #2: