[ic] PCI Compliance
Lyn St George
lyn at zolotek.net
Wed Jul 14 08:27:44 UTC 2010
On Tuesday 13 July 2010 14:47:38 Ky Hisberg wrote:
> > It's not so bad. I added the following to my apache2 config to fix
> > some SSL issues:
> >
> > SSLProtocol all -SSLv2
> > SSLCipherSuite
> > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:-eNULL
> >
> > - Grant
>
> Hi Grant,
>
> Who did you use for the PCI DSS Compliance testing? My CC Processor forces
> me to use Trustwave, who supposedly is one if not the biggest. They are a
> pain to work with.
>
>
> I have used the setup you suggested but they reject it as Non-compliant and
> will not give any more info. They say they require SSLProtocol -ALL
> +SSLv3 +TLSv1 Do you see any problems with this. Sorry but I do not trust
> Trustwave, they keep finding to many things that are just not on my
> server, or they reject their own suggestions as to weak. I found a
> independent Website to test for SSLv2 and SSLv3 and they say we no longer
> use SSLv2 but Trustwave wants more. I certainly do not want to loose
> customers but it sounds like most new Browsers can handle the SSLv3. Any
> thoughts?
>
> Thank you
>
> Kyle
>
This one passes with Comodo (note that medium is disallowed):
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!MEDIUM:!LOW:+SSLv3:!EXP:!eNULL:!aNULL
Cheers
Lyn
More information about the interchange-users
mailing list