Apache SSLCipherSuite continues to fail in PCI compliance scan

1005485 pts.
Tags:
Apache
Fedora
PCI compliance
PCI DSS
We have a Fedora server that's running on Apache to pass a PCI DSS compliance scan by McAfee. Here's what we used for the default SSLCipherSuite and SSLProtocol.
SSLProtocol    ALL -SSLv2
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
So it failed because of weak ciphers. We changed it to this:
SSLProtocol -ALL +SSLv3 +TLSv1
And we also tried to strings reported on different sites to pass the scan but it continues to fail. Any ideas? Thanks!

Answer Wiki

Thanks. We'll let you know when a new response is added.

How about this config in your ssl.conf and your VirtualHost container:

SSLProtocol             all -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder     on
SSLInsecureRenegotiation off

Discuss This Question: 1  Reply

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Kevin Beaver
    What, specifically, are you failing? It's likely because of the SSLv3 and TLSv1.0. Any more details?
    23,095 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.

Following

Share this item with your network: