Help -- PCI Compliance SSLv2 and vhosts

DirectAdmin Support said:
Hello,

I've tested a few location of the configs to add this to keep it simple, but yet still work for *all* IPs and connections. It appears as though this setting, when added to the <VirtualHost _default_:443>, it does not propagate to all other 443 VHs. The simple solution I found was to do nothing more than add this one line at the bottom of the httpd-ssl.conf, outside of <VirtualHost _default_:443>.

Run this code, then restart apache:
Code: 
echo "SSLProtocol -ALL +SSLv3 +TLSv1" >> /etc/httpd/conf/extra/httpd-ssl.conf
Everything else remains untouched and completely default.

John
Click to expand...
It says in /etc/httpd/conf/httpd.conf, where it includes the extra/httpd-ssl.conf file, that the extra/httpd-ssl.conf will be overwritten at every DA upgrade :eek:

So would it be safe to add the 2 lines in /etc/httpd/conf/httpd.conf (below the part where it includes the ssl.conf file) ?
Code: 
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

And then comment out this line in httpd-ssl.conf:
Code: 
SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
?


I've tested these settings, and it gives me a score of 88 (was previously a 52) on ssllabs.com's test
So they work. They just have to stick during all possible upgrades ;)
 
Last edited:
You must log in or register to reply here.
Back
Top