[ic] PCI Compliance

Grant emailgrant at gmail.com
Wed Jul 14 16:43:28 UTC 2010

>> It's not so bad.  I added the following to my apache2 config to fix
>> some SSL issues:
>> SSLProtocol all -SSLv2
>> SSLCipherSuite
>> - Grant
> Hi Grant,
> Who did you use for the PCI DSS Compliance testing?  My CC Processor forces
> me to use Trustwave, who supposedly is one if not the biggest.  They are a
> pain to work with.
> I have used the setup you suggested but they reject it as Non-compliant and
> will not give any more info.  They say they require SSLProtocol -ALL +SSLv3
> +TLSv1  Do you see any problems with this.  Sorry but I do not trust
> Trustwave, they keep finding to many things that are just not on my server,
> or they reject their own suggestions as to weak.  I found a independent
> Website to test for SSLv2 and SSLv3 and they say we no longer use SSLv2 but
> Trustwave wants more.  I certainly do not want to loose customers but it
> sounds like most new Browsers can handle the SSLv3.  Any thoughts?

It sounds like this isn't your problem but I had to disable aNULL
ciphers in postfix before I passed:

smtp_tls_exclude_ciphers = aNULL
smtpd_tls_exclude_ciphers = aNULL

Not sure if I need both of those or just one.

- Grant

More information about the interchange-users mailing list