We have a few different renditions of Apache installed, a Red Hat rpm version and a manually compiled version, and here's how ours are listed: SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP Thus far this set-up has passed PCI compliance scanning. -----Original Message----- From: David Hubbard [mailto:dhubbard@xxxxxxxxxxxxxxxxxxxx] Sent: Thursday, December 04, 2008 2:40 AM To: users@xxxxxxxxxxxxxxxx Subject: SSLCipherSuite not disabling export ciphers? Can someone tell me if the SSLCipherSuite directive has any known issues with not fully adhering to what it is given? I've been trying to make a server pci compliant by disabling all weak SSL ciphers and whatever I try is not disabling the export grade ciphers. I'm using: SSLCipherSuite HIGH:MEDIUM yet even after doing that, these six continue to work fine when I test them: EDH-RSA-DES-CBC-SHA 56 bit DES-CBC-SHA 56 bit EXP-EDH-RSA-DES-CBC-SHA 40 bit EXP-DES-CBC-SHA 40 bit EXP-RC2-CBC-MD5 40 bit EXP-RC4-MD5 40 bit I've altered my directive to have !EXP and even to have each of those six ciphers above explicitly excluded yet they remain enabled. Thanks, David --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|