PCI Compliance SSL Cipher Issue

[park6469]

I've got a pesky PCI compliance scan issue I can't seem to resolve:

Synopsis : The remote service supports the use of medium strength SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits. Solution: Reconfigure the affected application if possible to avoid use of medium strength ciphers. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C/I:N/A:N)


I tried adding the following lines to the "/usr/local/directadmin/data/templates/virtual_host_secure.conf" file:
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:-ADH:+HIGH:-MEDIUM:-LOW:-SSLv2:-EXP

I added the above lines between:
ServerName www.|DOMAIN|
and
ServerAlias www.|DOMAIN| |DOMAIN| |SERVER_ALIASES|

After making the modification I did add it to the task queue and restarted the web server service so I don't think I've missed anything obvious.

It looks like the PCI compliance scan is still failing, however, I am still unsure how to only allow for high encryption SSH ciphers on my web server. I am running CentOS 5.4.

Any suggestions would be much appreciated

 

[SixSicSix]

Just as a bump here, I'm having the same issue. Blows my mind that this is not more common or even posted yet. Any help would be an immense weight lifted.

 

[scsi]

Why not just make the changes to /etc/httpd/conf/extra/httpd-ssl.conf

 

[skruf]

Hey,

Don't forget the "conf" directory...

/etc/httpd/conf/extra/http-ssl.conf

David

 

[SixSicSix]

Sorry to necropost but I was able to get this working.

1) Move the /usr/local/directadmin/data/templates/virtual_host_secure.conf to /usr/local/directadmin/data/templates/custom

mv /usr/local/directadmin/data/templates/*secure*.conf /usr/local/directadmin/data/templates/custom

2) Edit the /usr/local/directadmin/data/templates/custom/virtual_host_secure.conf

vi /usr/local/directadmin/data/templates/custom/*secure*.conf

3) Insert the following line into all of these files:

SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

You can try pasting this into VI (note the 8 spaces on the last line, they are needed)

/ServerAlias
ISSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

between the following two lines:

ServerName www.|DOMAIN|
ServerAlias www.|DOMAIN| |DOMAIN| |SERVER_ALIASES|

After saving to each file, type "wn" in VI to save and go to the next file to be written. Continue using "wn" until all files have been written.

4) Run the following commands at the shell prompt:

echo "action=rewrite&value=httpd" >> /usr/local/directadmin/data/task.queue
/usr/local/directadmin/dataskq d 800
cat /usr/local/directadmin/data/task.queue
/usr/local/directadmin/dataskq d 800

This rewrites the config and restarts the web server.

5) check that it "took":

cat /usr/local/directadmin/data/users/*/httpd.conf | grep -i cipher

If you don't see anything after typing this, then something went wrong.