[ic] PCI Compliance
Grant
emailgrant at gmail.com
Wed Jul 14 16:43:28 UTC 2010
>> It's not so bad. I added the following to my apache2 config to fix
>> some SSL issues:
>>
>> SSLProtocol all -SSLv2
>> SSLCipherSuite
>> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:-eNULL
>>
>> - Grant
>
> Hi Grant,
>
> Who did you use for the PCI DSS Compliance testing? My CC Processor forces
> me to use Trustwave, who supposedly is one if not the biggest. They are a
> pain to work with.
>
> I have used the setup you suggested but they reject it as Non-compliant and
> will not give any more info. They say they require SSLProtocol -ALL +SSLv3
> +TLSv1 Do you see any problems with this. Sorry but I do not trust
> Trustwave, they keep finding to many things that are just not on my server,
> or they reject their own suggestions as to weak. I found a independent
> Website to test for SSLv2 and SSLv3 and they say we no longer use SSLv2 but
> Trustwave wants more. I certainly do not want to loose customers but it
> sounds like most new Browsers can handle the SSLv3. Any thoughts?
It sounds like this isn't your problem but I had to disable aNULL
ciphers in postfix before I passed:
/etc/postfix/main.cf:
smtp_tls_exclude_ciphers = aNULL
smtpd_tls_exclude_ciphers = aNULL
Not sure if I need both of those or just one.
- Grant
More information about the interchange-users
mailing list