Please provide an Apache SSLCipherSuite that will pass a PCI Compliance Scan

Asked 24/4, 2011 at 7:41 Answered 2/2, 2015 at 18:30

I'm trying to get a Fedora 14 server running Apache 2.2.17 to pass a PCI-DSS compliance scan by McAfee ScanAlert. My first attempt using the default SSLCipherSuite and SSLProtocol directives set in ssl.conf...

SSLProtocol    ALL -SSLv2
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

failed citing that weak ciphers were enabled. Scans with ssllabs and serversniff tools revealed that 40 and 56 bit keys were indeed available.

I then changed to...

SSLProtocol -ALL +SSLv3 +TLSv1

and tried all of the following strings reported on various sites to pass PCI scans from assorted vendors...

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH
SSLCipherSuite ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL
SSLCipherSuite ALL:!ADH:!NULL:!EXP:!SSLv2:!LOW:RC4+RSA:+HIGH:+MEDIUM
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
SSLCipherSuite ALL:!ADH:!NULL:!EXP:!SSLv2:!LOW:!MEDIUM:RC4+RSA:+HIGH

I am restarting apache after updates and apachectl configtest says that my syntax is ok. Subsequent ScanAlert scans have all failed and other scanning tools continue to show 40 and 56 bit ciphers available. I have tried adding SSLProtocol and SSLCipherSuite directly to the VirtualHost in httpd.conf and that has not helped.

It actually feels like something somewhere is overriding these settings but I cannot find anything anywhere that sets these values other than ssl.conf.

If someone could provide a known good SSLCipherSuite that has passed a recent PCI scan it would help a lot in tracking down my problem.

Thanks.

Rebound answered 24/4, 2011 at 7:41 Comment(1)

Please see #5769831 – Aret 4/3, 2015 at 14:31

As new vulnerabilities are discovered and browsers are upgraded, the answers here can (will) become outdated. I'd suggest you rely on Mozilla SSL Configuration Generator to check which configuration you should use.

enter image description here

UPDATE 2018: It's reasonable to enforce Perfect Forward Secrecy now, unless you need to support older browsers specifically. As of November 2018, only the "modern" profile will enable Perfect Forward Secrecy. Read more about it at:

SSL Labs: Deploying Forward Secrecy

Configuring Apache, Nginx, and OpenSSL for Forward Secrecy

Aret answered 2/2, 2015 at 18:30 Comment(1)

This should be moved to to be the preferred answer. – Delegate 4/3, 2015 at 13:45

After hours of searching and hair pulling I found my problem.

The default SSLProtocol and SSLCipherSuite directives in my ssl.conf are stored in a default container labeled as <VirtualHost _default_:443>.

My actual site has it's own container labeled with it's IP address eg: <VirtualHost 64.34.119.12:443>. Changing the values in the _default_ container had no affect but adding the stronger SSLProtocol and SSLCipherSuite directives directly to the site specific VirtualHost container finally allowed them to take effect.

Still not sure why adjusting the _default_ container or having them in the VirtualHost container in httpd.conf didn't work.

As a definitive answer to the question, I used...

SSLCipherSuite ALL:!ADH:!NULL:!EXP:!SSLv2:!LOW:!MEDIUM:RC4+RSA:+HIGH

to pass my ScanAlert scan. I would bet that most of the other strings above would work as well.

Rebound answered 25/4, 2011 at 17:13 Comment(2)

I had a similar problem disabling sslv2. In our case, the server is running with plesk. I had to put the above code just before,not inside, the virtualhost containers, that did the trick for us. I did not disable the weak ciphers however, I'm not sure how widely strong ciphers are available in non-US countries due to old export restrictions. – Lentil 29/8, 2011 at 18:14

This is a terrible string to use and should not be used EVER (as of 2015). It allows several completely insecure suites. Always test with ssllabs.com/ssltest – Prepared 30/4, 2015 at 20:16

Did you tell Apache to enforce cipher order?

SSLHonorCipherOrder on

Cornuted answered 10/9, 2013 at 22:10 Comment(0)

FYI - I found that this setting:

SSLCipherSuite HIGH:!SSLv2:!ADH

Produced the exact same list of protocols as this setting:

SSLCipherSuite ALL:!ADH:!NULL:!EXP:!SSLv2:!LOW:!MEDIUM:RC4+RSA:+HIGH

According to:

openssl ciphers -v 'ALL:!ADH:!NULL:!EXP:!SSLv2:!LOW:!MEDIUM:RC4+RSA:+HIGH'
openssl ciphers -v 'HIGH:!SSLv2:!ADH'

Scheldt answered 20/10, 2013 at 14:0 Comment(0)

The following configuration is recommended by Qualys, it gave us a A on their scanner

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

Yes, also make sure Apache is able to read the new configuration. I place this directly inside the virtual host container.

From their website: https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy

Nameplate answered 15/1, 2014 at 18:1 Comment(1)

This configuration doesn't support IE6 on Windows XP. You may want to add "+RC4 RC4" at the end if that is still important to you. – Budde 10/4, 2014 at 5:35

Look here Mozilla Wiki.

The goal of this document is to help operational teams with the configuration of TLS on servers.

Hautemarne answered 1/10, 2014 at 10:3 Comment(0)

Recommended topics

Hot tags