Koozali.org: home of the SME Server

Obsolete Releases => SME Server 7.x => Topic started by: superwormy on March 16, 2010, 03:30:33 PM

Title: Disable MEDIUM and WEAK Ciphers with Apache HTTPS?
Post by: superwormy on March 16, 2010, 03:30:33 PM

For a PCI compliance scan from SecurityMetrics.com, I need to disable MEDIUM and WEAK Ciphers in Apache. I know that with a normal Apache configuration, I just need to set this:
 SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!MEDIUM:!EXP:RC4+RSA:+HIGH

What do I need to do to SME Server to make that happen? I'm also supposed to disable SSLv2.

Title: Re: Disable MEDIUM and WEAK Ciphers with Apache HTTPS?
Post by: cactus on March 16, 2010, 04:05:43 PM

Quote from: superwormy on March 16, 2010, 03:30:33 PM

For a PCI compliance scan from SecurityMetrics.com, I need to disable MEDIUM and WEAK Ciphers in Apache. I know that with a normal Apache configuration, I just need to set this:
 SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!MEDIUM:!EXP:RC4+RSA:+HIGH

What do I need to do to SME Server to make that happen? I'm also supposed to disable SSLv2.

IIRC the latest updates should disable some of the cipher suits for you as a bug for that has been fixed recently.

The general solution to this is to create a copy of the affected template fragment, modify the copy to your likings, regenerate the configuration file and restart affected services. A more detailed explanation is given here: http://wiki.contribs.org/Template_Tutorial

All the technical details can be found in the Developers Guide: http://wiki.contribs.org/SME_Server:Documentation:Developers_Manual#Configuration_file_templates