 |
 |
This is our OLD wiki. You might find better documentation on our new QuickBooks integration wiki.
Table of Contents
Securing your Apache 2.x Server
SSL and PCI Compliance
Your SSL configuration should have the following options:
# This disables old, vulnerable SSL versions (SSLv2): SSLProtocol -ALL +SSLv3 +TLSv1 # This disables WEAK and MEDIUM strength ciphers: SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT
Testing Apache 2.x for SSLv2 Support
From a command prompt, run this command, making sure to enter your domain name and the port you want to check (default HTTP over SSL- 443):
openssl s_client -connect YOUR-DOMAIN-NAME-GOES-HERE:THE-PORT-NUMBER-GOES-HERE -ssl2
You should get back something like this:
CONNECTED(00000003) 82841:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s2_pkt.c:428:
If you get back something else that looks like it worked/is doing something, then you have SSLv2 enabled, which is *bad*.
PHP Settings
; This causes the X-Powered-By: PHP header to now show up in outgoing HTTP headers expose_php = Off ; Don't show errors to the end-user display_errors = Off
 |