# Disabling weak ssl ciphers in apache [solved]

## gr0x0rd

Hello all,

I'm going through the fun task of making one of my servers PCI compliant so it can begin processing electronic payments.

One of the conditions was to eliminate SSLv2 support; this was easy enough, in my /etc/apache2/httpd.conf I simply added

```
SSLProtocol -all +TLSv1 +SSLv3
```

However, after running an SSL check (such as the one at serversniff.net) I noticed that the server was still allowing weak 56 and 40 bit ciphers. 

After some RTFM and a few examples around the web, I added the following directive:

```
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
```

However... my server is still supporting those weak ciphers. In fact, apache doesn't seem to change its behavior, no matter what I put in this line, almost like it's being ignored entirely. 

Any ideas? I'm running apache 2.2.14-r1 and openssl 0.9.8l-r2.

Thanks as always.

----------

## gr0x0rd

The problem was the line was being overridden by a line in 

/etc/apache2/vhosts.d/00_default_ssl_vhost.conf

Where the SSLCipherSuite directive is already provided by the gentoo devs...  :Wink: 

Hopefully this helps anyone else that runs into the issue.

----------

