If you have been advised to avoid weak SSL ciphers and disable SSLv2 let me inform you that it is actually a pretty simple task. Find below step by step instructions on clearing these two advisories for the PCI compliancy checks.
First things first, let’s check to see if you have weak ciphers and SSL 2 enabled for connections. I’m showing you how to do this now as you will need to use it later to test your configuration changes.
Checking if your server supports weak ciphers
To check if your server support weak cipher connections attempt to connect to it with the following command. You can run this command from the server in which you’re locking down.
openssl s_client -connect HOST_NAME:443 -cipher LOW:EXP
If weak ciphers are enabled you will receive a connection message with your connection waiting for input.
If weak ciphers are disabled, you will receive an error message similar to the following.
CONNECTED(00000003)2290:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:583:
Checking if your server supports SSL2 connections
Run the following command to check if SSL2 connections are accepted:
openssl s_client -ssl2 -connect HOST_NAME:443
If enabled, you will receive similar output to the following and your connection will be accepting input.
If not enabled your output will contain an error message similar to the following.
2420:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:
Disabling both weak ciphers and SSL2 connections
To disable both of these options for Apache’s SSL connections open the SSL configuration file as root.
sudo vi /etc/apache2/mods-enabled/ssl.conf
You will need to either uncomment or add the following two lines
SSLProtocol all -SSLv2
Once done, save. You now need to restart the Apache service.
sudo /etc/init.d/apache2 restart
Now go back and run the weak cipher and SSL2 connection tests. If you get connection failed errors the job is done.
That’s it, all done.