PCI Compliance Apache ssl.conf (linux)

Making your ssl.conf compliant for pci.

By default your ssl.conf usually includes weak protocols this will not pass a pci audit the fix is easy.

1. Make a back up of your current ssl.conf for roll back purposes

cp  /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.`date +%y%m%d%H%M%S`

2. Verify your back up was created as expected

ls -l /etc/httpd/conf.d/ | grep ssl.conf

3. Edit the protocol and ciphersuite lines

/etc/httpd/conf.d/ssl.conf

comment out

#SSLProtocol all –SSLv2

#SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

Add in

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

4. Restart Apache

service apache restart

or

service httpd restart