RSS Feed

PCI Compliance: Disable SSLv2 and weak ciphers for Apache2 SSL

If you have been advised to avoid weak SSL ciphers and disable SSLv2 let me inform you that it is actually a pretty simple task. Find below step by step instructions on clearing these two advisories for the PCI compliancy checks.

First things first, let’s check to see if you have weak ciphers and SSL 2 enabled for connections. I’m showing you how to do this now as you will need to use it later to test your configuration changes.

Checking if your server supports weak ciphers
To check if your server support weak cipher connections attempt to connect to it with the following command. You can run this command from the server in which you’re locking down.

openssl s_client -connect HOST_NAME:443 -cipher LOW:EXP

If weak ciphers are enabled you will receive a connection message with your connection waiting for input.


If weak ciphers are disabled, you will receive an error message similar to the following.

CONNECTED(00000003)2290:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:583:

Checking if your server supports SSL2 connections
Run the following command to check if SSL2 connections are accepted:

openssl s_client -ssl2 -connect HOST_NAME:443

If enabled, you will receive similar output to the following and your connection will be accepting input.


If not enabled your output will contain an error message similar to the following.

2420:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:

Disabling both weak ciphers and SSL2 connections
To disable both of these options for Apache’s SSL connections open the SSL configuration file as root.

sudo vi /etc/apache2/mods-enabled/ssl.conf

You will need to either uncomment or add the following two lines

SSLProtocol all -SSLv2

Once done, save. You now need to restart the Apache service.

sudo /etc/init.d/apache2 restart

Now go back and run the weak cipher and SSL2 connection tests. If you get connection failed errors the job is done.

That’s it, all done.

Posted in Linux

PCI compliance – An overview

Recently I have needed to secure and lock down a server to be PCI compliant. While I previously had an overview of what PCI is I didn’t fully understand the underlying fundamentals.

Being rather obsessive and interested I decided to dig into the world of PCI and what I managed to dig up in a small amount of time is worth sharing, despite several thousand websites detailing the same thing. Think of this post as an overview of PCI compliance for those that just want an understand.

Posted in Interesting

Happy new years

With 2011 comes a new year and a new start for any life absences and obscurities that has stricken us in 2010. Life is to be taken seriously but live it day by day, year by year, one step at a time.

This year will mark something extremely significant for myself and my family. With looking for a new house for my wife and I as well as CarPro taking off (and v2.0 coming end of Q1) things are looking brighter at the end of the time tunnel. A fresh new start marks the era of success, or the beginnings, which ever comes first.

Happy new years to you all and I hope it brings you everything you would like.

Posted in My world

A follow up to getting your iPhone app expedited by the Apple review team

A couple of weeks ago I wrote a post about theories on getting your iPhone app review expedited by contacting the Apple review team.

Early last week I decided to try my first idea which was putting the app name in the minds of the reviewers by simply asking how long it would take to review “App name”. While the review team were exceptionally helpful, putting the app into their minds was not enough to get the app expedited into review.

Sadly, the app I submitted was actually rejected at the end of last week, thankfully the reason was a simple fix and a minor mistake which I wouldn’t have known about unless noticed by the reviewers themselves. Having said that, I see the rejection as a blessing in disguise as it has allowed me to re-submit the app with a stronger appearance and additional, fundamental features.

I have written press-releases that I have had to put on hold for a large number of blogs, magazines and newspapers. Because of this I thought I’d be direct with Apple and request for my app to be expedited.

Here is my email:

Posted in iPhone Development

How to find the fattest directories with du (Disk Usage)

If you happen to be running out of space on your *nix platform or would like to see which directories are consuming the most disk space you can use the disk usage utility. Most Linux distros come with du, disk usage, which happens to be an extremely useful command for finding the fattest directories on your file system.

It’s time to find the culprit directories taking up all your space
Using du is simple, change to a directory and run du to return a list of all directories, their child directories and their weight (size).

Posted in Linux

Howto set date and time from the CLI and keep your time synced with ntpdate

Being a systems administrator, at some point in your life you’re more than likely going to need to update the date and time on your linux box. If you only have command line access to a linux server you will need to do this via the command line, thankfully it’s a real easy task.

The date command
First things first, the command you will need is date. Date not only outputs the current date and time of the box but also allows you to set them too.

Mon 20 Nov 2010 11:10:38 GMT

Posted in Linux

Testing: Users lacking knowledge are the greatest users of them all

Before submitting an app to Apple I decided to hand it over to my wife. Now my wife isn’t a programmer but is an avid web user, but, putting the app in her hands for 10 minutes identified some seriously crucial, but lacking usability features.

Programmers write code and they write this code day in, day out. They know how the app should work and test based on how the app should be used. I used to do this myself and the majority of programmers I know do the same thing. I’m afraid this is wrong and programmers need to learn to step out of the box.

Programmers have something they need to learn and that’s usability testing. While I’m certain others may disagree, us programmers have a thing or two to learn from the average joe on the street, whether directly or indirectly.

Posted in Development

Thoughts on how to expedite your iPhone application review

Browsing the web trying to find a decent explanation to Apples review process I came across a discussion about app review times. Reading the discussion I came across an email address that made me think about how you could possibly expedite the review process.

Keep in mind these are just theories, and may not work. However, what you don’t ask for, you wont get.

While the last thing you want to do is irritate employees at Apple I cannot see any harm in sending a question asking for estimations on when your app will be reviewed. Putting an app in the mind of a reviewer may well entice them to review it sooner than later to see what the fuss is about. Also, sometimes people do good deeds, today may be the day someone does a good deed for you.

Posted in iPhone Development

symfony swift mailer localhost [] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA-v4

A weird problem was put in front of me today. Every symfony site using swift mailer, bar one, on the same server were sending email correctly. Tailing the mail logs the following error was returned:

Server xm-mta[19908]: oAJA1IcU019908: localhost [] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA-v4

Being that all other sites using swift mailer were sending fine the obvious reasoning behind this problem was configuration. Low and behold, the factories.yml configuration for the swift mailer delivery strategy was set as none.

Posted in PHP

A lesson in bash history

Have you ever wondered how it is that you can skip back and forwards throughout your history of commands on bash? Well it’s pretty simple, bash keeps a log of all commands you enter in a file called bash_history in the root of your home directory.

This file is very simple and consists of a list of all previously entered commands, however, before writing to the history file bash stores your history of commands in a buffer and upon logging out of your shell writes that buffer to ~/.bash_history. This is worth noting if you plan on modifying the history, in order to modify the latest commands entered into the bash history you will need to log out and then back in again to see updates to the file.

Posted in Linux
Page 1 of 812345...Last »