Posts Tagged ‘PCI’

Disable weak ciphers in Tomcat

PCI compliance requires that weak and medium strength SSL ciphers are disabled, along with SSLv2 functionality. To achive this, just add the following to your SSL connector within server.xml and restart tomcat. sslProtocol should be set to TLS or SSLv3 and the ciphers setting should be added as below. Typically the server.xml will be in: […]

Disable Track and Trace in Apache

TraceEnable off is available in Apache 1.3.34, 2.0.55 and later Otherwise you will need to add: RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRAC(E|K) RewriteRule .* – [F] to a /etc/httpd/conf.d/zz_020_disable_track_trace.conf and possibly to the individual vhost.conf’s

Plesk for Windows – PCI Compliance

This is somewhat of a work in progress. The only thing flagged by PCI compliance scans so far is the use of SSLv2. This can be disabled in Windows 2003 by adding the following registry entry in: HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Server create a new DWORD named Enabled with the default value Also disable weak ciphers: HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders […]

Plesk for Linux – PCI Compliance

Courier Weak SSL Ciphers and SSLv2 The most common flaw uncovered by a PCI compliance scan is that a service is allowing SSL connections using weak SSL ciphers. Disable SSLv2 in Courier by adding the following line to both /etc/courier-imap/imapd-ssl and /etc/courier-imap/pop3d-ssl: TLS_CIPHER_LIST=”HIGH:MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH” After restarting Courier, test with openssl to confirm SSLv2 has been disabled […]