PCI Compliance Apache Global Setting

bridgeway04

Member
Jun 2, 2008
8
0
51
I am trying to pass PCI compliance and are down to my last few vulnerabilities. I think it's my Apache Global Setting.

Here is what I have, does this look incorrect? So many threads on this issue but a lot of them are from 2015.

Pre Main Include ( All Versions):

Header add Strict-Transport-Security "max-age=31536000"
SSLProtocol all -SSLv3 -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4

Thanks,

Brad
 

Anupam SG

Active Member
Aug 29, 2018
44
17
8
Earth
cPanel Access Level
Root Administrator
This should help:

SSLCipherSuite: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

SSL/TLS Protocols: All -SSLv2 -SSLv3 -TLSv1

These already look good:

Header add Strict-Transport-Security "max-age=31536000"
SSLHonorCipherOrder On

Check the HSTS elgibility: HSTS Preload List Submission, since you are implementing the HSTS header.

With the above values you should get a A+ score at SSL Server Test (Powered by Qualys SSL Labs)
 
  • Like
Reactions: Jeff P.