Saturday, December 31, 2011

How to disable SSLv2 and Weak Cipers and enable SSLv3 on Linux

In order to be Payment Card Industry Data Security Standard PCI-DSS) Compliance v1.2, we are required to use “use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.”

Secure Socket Layer (SSL) version 2 is considered weak cryptography in this aspect. To disabled SSLv2 and enable SSLv3. Assuming you already have OpenSSL installed, you can use another remote server to test the https connections

# openssl s_client -ssl2 -connect remote_server:443

If your server does not support SSLv2, you should receive the following error
CONNECTED(00000003)
22255:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:

If your server is enabled to supports SSLv2 connections, the connection will be accepting input
CONNECTED(00000003)

 To use SSLv3 and TLSv1, you have to modify the following at SSLCipherSuite directive in the httpd.conf or /etc/httpd/conf.d/ssl.conf file. In the example, you can do the following
#SSLProtocol all -SSLv2
SSLProtocol -all +SSLv3 +TLSv1
On my /etc/httpd/conf.d/ssl.conf
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

For more information,see
  1. How to Disable SSLv2 and Weak Ciphers(PCI Compliance (http://almamunbd.blogspot.com)
  2. How to Disable SSLv2 and Weak Ciphers(PCI Compliance (http://www.srcnix.com)


No comments: