« previous next »

Pages: [1] Go Down

Disable MEDIUM and WEAK Ciphers with Apache HTTPS?

superwormy

27
+0/-0

Disable MEDIUM and WEAK Ciphers with Apache HTTPS?

« on: March 16, 2010, 03:30:33 PM »

For a PCI compliance scan from SecurityMetrics.com, I need to disable MEDIUM and WEAK Ciphers in Apache. I know that with a normal Apache configuration, I just need to set this:
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!MEDIUM:!EXP:RC4+RSA:+HIGH

What do I need to do to SME Server to make that happen? I'm also supposed to disable SSLv2.

Logged

cactus

4,880
+3/-0

Re: Disable MEDIUM and WEAK Ciphers with Apache HTTPS?

« Reply #1 on: March 16, 2010, 04:05:43 PM »

Quote from: superwormy on March 16, 2010, 03:30:33 PM

For a PCI compliance scan from SecurityMetrics.com, I need to disable MEDIUM and WEAK Ciphers in Apache. I know that with a normal Apache configuration, I just need to set this:
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!MEDIUM:!EXP:RC4+RSA:+HIGH

What do I need to do to SME Server to make that happen? I'm also supposed to disable SSLv2.

IIRC the latest updates should disable some of the cipher suits for you as a bug for that has been fixed recently.

The general solution to this is to create a copy of the affected template fragment, modify the copy to your likings, regenerate the configuration file and restart affected services. A more detailed explanation is given here: http://wiki.contribs.org/Template_Tutorial

All the technical details can be found in the Developers Guide: http://wiki.contribs.org/SME_Server:Documentation:Developers_Manual#Configuration_file_templates

Logged

Be careful whose advice you buy, but be patient with those who supply it. Advice is a form of nostalgia, dispensing it is a way of fishing the past from the disposal, wiping it off, painting over the ugly parts and recycling it for more than its worth ~ Baz Luhrmann - Everybody's Free (To Wear Sunscreen)

Pages: [1] Go Up

« previous next »