[ic] PCI Compliance

[Grant]

>> It's not so bad.  I added the following to my apache2 config to fix
>> some SSL issues:
>>
>> SSLProtocol all -SSLv2
>> SSLCipherSuite
>> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:-eNULL
>>
>> - Grant
>
> Hi Grant,
>
> Who did you use for the PCI DSS Compliance testing?  My CC Processor forces
> me to use Trustwave, who supposedly is one if not the biggest.  They are a
> pain to work with.
>
> I have used the setup you suggested but they reject it as Non-compliant and
> will not give any more info.  They say they require SSLProtocol -ALL +SSLv3
> +TLSv1  Do you see any problems with this.  Sorry but I do not trust
> Trustwave, they keep finding to many things that are just not on my server,
> or they reject their own suggestions as to weak.  I found a independent
> Website to test for SSLv2 and SSLv3 and they say we no longer use SSLv2 but
> Trustwave wants more.  I certainly do not want to loose customers but it
> sounds like most new Browsers can handle the SSLv3.  Any thoughts?

It sounds like this isn't your problem but I had to disable aNULL
ciphers in postfix before I passed:

/etc/postfix/main.cf:
smtp_tls_exclude_ciphers = aNULL
smtpd_tls_exclude_ciphers = aNULL

Not sure if I need both of those or just one.

- Grant