PCI compliance scans often flag Apache servers using medium (56-112 bit) or weak (<56 bit) SSL ciphers as security vulnerabilities. These ciphers are considered cryptographically insufficient against modern attacks like BEAST or CRIME.
First, check your current SSL configuration with:
openssl s_client -connect yourdomain.com:443 -cipher 'ALL:eNULL'
This will reveal all enabled ciphers, including undesirable ones like:
- DES-CBC3-SHA (112-bit, medium)
- RC4-SHA (weak)
- EXP-* (export-grade, very weak)
Edit your SSL configuration (typically in httpd.conf or ssl.conf) and modify the SSLCipherSuite directive:
# Strong cipher suite configuration for Apache 2.2.14 SSLCipherSuite HIGH:!aNULL:!MD5:!EXP:!LOW:!MEDIUM SSLProtocol all -SSLv2 -SSLv3
For maximum security while maintaining compatibility:
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256: ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384: ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 SSLHonorCipherOrder on
After restarting Apache, verify with:
nmap --script ssl-enum-ciphers -p 443 yourdomain.com
Or using OpenSSL:
openssl s_client -connect yourdomain.com:443 -cipher 'MEDIUM' openssl s_client -connect yourdomain.com:443 -cipher 'LOW'
Both commands should fail with "no shared cipher" errors.
If you must support older clients (Windows XP, Java 6), consider this balanced approach:
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256: DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256: ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA: !aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
PCI compliance scans frequently flag medium and weak SSL ciphers as security vulnerabilities due to their susceptibility to cryptographic attacks. Medium strength ciphers (56-112 bit) and weak ciphers (below 56 bit) can potentially be broken using modern computing power, exposing sensitive data.
For Apache 2.2.14 with mod_ssl, the default cipher suite typically includes:
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXPThis problematic configuration allows all cipher strengths including the vulnerable ones.
To meet PCI compliance requirements, modify your httpd.conf or SSL configuration file:
SSLCipherSuite HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA:!SEED
SSLProtocol all -SSLv2 -SSLv3Here's a complete virtual host configuration example:
<VirtualHost *:443>
ServerName example.com
SSLEngine on
SSLCertificateFile /path/to/cert.pem
SSLCertificateKeyFile /path/to/key.pem
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305
SSLHonorCipherOrder on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
</VirtualHost>After implementing changes, verify using OpenSSL:
openssl s_client -connect yourdomain.com:443 -cipher 'MEDIUM:LOW'This should return "no shared cipher" if configured correctly. For comprehensive testing, use:
nmap --script ssl-enum-ciphers -p 443 yourdomain.comFor maximum security, consider implementing:
- HTTP Strict Transport Security (HSTS) header
- Perfect Forward Secrecy (PFS) with ECDHE cipher suites
- Regular certificate rotation
If older clients can't connect after changes:
- Gradually remove weaker ciphers (transition period)
- Monitor error logs for connection failures
- Consider maintaining legacy support on a separate port if absolutely necessary