PCI Compliance Apache Global Setting
I am trying to pass PCI compliance and are down to my last few vulnerabilities. I think it's my Apache Global Setting.
Here is what I have, does this look incorrect? So many threads on this issue but a lot of them are from 2015.
Pre Main Include ( All Versions):
Header add Strict-Transport-Security "max-age=31536000"
SSLProtocol all -SSLv3 -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4
Thanks,
Brad
-
This should help: SSLCipherSuite: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 SSL/TLS Protocols: All -SSLv2 -SSLv3 -TLSv1 These already look good: Header add Strict-Transport-Security "max-age=31536000" SSLHonorCipherOrder On Check the HSTS elgibility: HSTS Preload List Submission, since you are implementing the HSTS header. With the above values you should get a A+ score at SSL Server Test (Powered by Qualys SSL Labs) 0 -
Thanks @Anupam SG for the great answer @bridgeway04 if you get a chance, let us know if that helped! 0
Please sign in to leave a comment.
Comments
2 comments