4

Another developer recently ran a PCI Compliance check with TripWire on our server and one of the tests we failed was "SSL Server Supports Weak MAC Algorithms for TLSv1". The recommended solution by TripWire was to "disable any cipher suites using md5-based mac algorithms". I tried to look in google for step by step instructions on how to do this for our RedHat flavoured box, but couldn't find anything.

Can anyone tell me how to "disable any cipher suites using md5-based mac algorithms"?

learningtech
  • 7,445
  • 23
  • 64
  • 88
  • 1
    What software was this triggering for? This is a TLS library configuration issue which may or may not have controls exposed at the application level. For applications using openssl you can use a cipher string specification for this if the application exposes that as an option in its configuration. – Etan Reisner Nov 01 '13 at 16:40
  • Hey Etan ,I believe the developer was testing against the SSL and our apache web server. I'm not completely well-versed with server administration, so I didn't quite understand you note about cipher string specification. are you able to help me undrstand? Thanks! – learningtech Nov 01 '13 at 16:46

1 Answers1

3

For apache you can control the available SSL cipher suites with the SSLCipherSuite directive. Beware though constructing a secure, reliable, compatible cipher suite string is not the simplest of tasks.

Etan Reisner
  • 1,373
  • Thanks Etan, I understand the situation slightly better, so now I have a more specific question which i'll start another question for. – learningtech Nov 01 '13 at 23:37