How to Set SSL Ciphers and update OpenSSL for PCI Compliant (Apache)

SSL Cipher Settings (PCI Compliant)

If you going to use SSL for your site, make sure that you disable low level ciphers.
To do this, simply edit:

#/etc/httpd/conf.d/ssl.conf

SSLProtocol -ALL +SSLv3 +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RCA4+RSA:+HIGH:!LOW:!MEDIUM

#Save the file and restart the apache
service httpd restart

#check to see if the settings are working
openssl s_client -connect localhost:443 -cipher EXP:HIGH

#the below command should throw you an error
openssl s_client -connect localhost:443 -cipher EXP:LOW
openssl s_client -connect localhost:443 -cipher EXP:MEDIUM

By default CentOs comes with openssl version 1.0.0. However openssl has been updated a year ago to 1.0.1 to support high ciphers such as TLS 1.1 and 1.2. Normally, before updating the openssl, I would backup the server first if anything goes wrong. The reason is that openssl is used by many programs within the linux.

To update the openssl, you will need to manually install the package by rpm

#installing openssl 1.0.1e
rpm -Uvh http://dl.iuscommunity.org/pub/ius/stable/Redhat/6/x86_64/ius-release-1.0-10.ius.el6.noarch.rpm

#install yom-plugin-replace
yum install yum-plugin-replace

#replacing openssl 1.0.1e name
yum replace openssl --replace-with openssl10

I have also replaced the above SSLCipherSuite to

SSLCipherSuite 'AESGCM:RC4:SHA384:SHA256:AES !aNULL:!eNULL:!LOW:!MEDIUM:!3DES:!MD5:!EXP:!kEDH:!PSK:!SRP:!kECDH'

You should also disable SSL Compression as it is vulnerable to CRIME attack according to ssllabs.com

# /etc/httpd/conf/httpd.conf
# Disable Module within Apache by using a #
#LoadModule deflate_module modules/mod_deflate.so

and then:

echo >>/etc/sysconfig/httpd export OPENSSL_NO_DEFAULT_ZLIB=1
# Restart Apache Server
service httpd restart

After you had finished the configuration, have your site be tested with http://www.ssllabs.com

Leave a Reply