Thanks Igor. 1 - Will eventually upgrade to latest, but wanted solution for 2.2.10 to fix in few days. 2- I don't see SSLProtocol property in config file for 2.2.10 3 - Thanks for the additional link. Will check it out. Regards Denise Edwards -----Original Message----- From: Igor Galić [mailto:i.galic@xxxxxxxxxxxxxx] Sent: Monday, October 18, 2010 1:25 PM To: users@xxxxxxxxxxxxxxxx Subject: Re: SSL vulnerability question ----- "Denise Edwards" <Denise.Edwards@xxxxxxxxx> wrote: > Hi, > > > > Received security can results which had two issues: > > 1-SSL Server Supports Weak Encryption Vulnerability > > 2-SSL Server Has SSLv2 Enabled Vulnerability > > > > Two questions: > > - Has anyone had to address these issues for their installation of > Apache httpd Yes. > - If so what did you do? Not what you did. > > Background info: > > - I'm using Apache httpd v2.2.10 Why not run the latest ;) > - SSLCipherSuite property includes high, medium, low and SSLv2 And that's your problem. SSLProtocol TLSv1 SSLv3 SSLCipherSuite RC4-SHA:AES256-SHA:ALL:!ADH:!MD5 This config should be reasonably fast (at least with 2.3 ;) and ``PCI DSSS compliant'' See Paul Querna's Overclocking mod_ssl article for more info: http://journal.paul.querna.org/articles/2010/07/10/overclocking-mod_ssl/ > Regards > > Denise i -- Igor Galić Tel: +43 (0) 664 886 22 883 Mail: i.galic@xxxxxxxxxxxxxx URL: http://brainsware.org/ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx CONFIDENTIALITY NOTICE: The information in this Internet email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx