RSS Feed

PCI Compliance: Disable SSLv2 and weak ciphers for Apache2 SSL

If you have been advised to avoid weak SSL ciphers and disable SSLv2 let me inform you that it is actually a pretty simple task. Find below step by step instructions on clearing these two advisories for the PCI compliancy checks.

First things first, let’s check to see if you have weak ciphers and SSL 2 enabled for connections. I’m showing you how to do this now as you will need to use it later to test your configuration changes.

Checking if your server supports weak ciphers
To check if your server support weak cipher connections attempt to connect to it with the following command. You can run this command from the server in which you’re locking down.

openssl s_client -connect HOST_NAME:443 -cipher LOW:EXP

If weak ciphers are enabled you will receive a connection message with your connection waiting for input.


If weak ciphers are disabled, you will receive an error message similar to the following.

CONNECTED(00000003)2290:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:583:

Checking if your server supports SSL2 connections
Run the following command to check if SSL2 connections are accepted:

openssl s_client -ssl2 -connect HOST_NAME:443

If enabled, you will receive similar output to the following and your connection will be accepting input.


If not enabled your output will contain an error message similar to the following.

2420:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:

Disabling both weak ciphers and SSL2 connections
To disable both of these options for Apache’s SSL connections open the SSL configuration file as root.

sudo vi /etc/apache2/mods-enabled/ssl.conf

You will need to either uncomment or add the following two lines

SSLProtocol all -SSLv2

Once done, save. You now need to restart the Apache service.

sudo /etc/init.d/apache2 restart

Now go back and run the weak cipher and SSL2 connection tests. If you get connection failed errors the job is done.

That’s it, all done.

Posted in Linux on the 9th January 2011


Your email address will not be published. Required fields are marked *