Making mod_ssl (Apache) PCI compliant

Hold on Cowboy

This blog post is pretty old. Be careful with the information you find in here. It's likely dead, dying, or wildly inaccurate.

Here are some configurations in Apache and PHP needed to make your server PCI compliant.

SSL Configuarations 

Only allow secure SSL versions (version 3 and TLS 1) SSLProtocol -ALL +SSLv3 +TLSv1

Only allow secure Ciphers SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

PHP Configurations 

Keep PHP from giving out info about itself (php.ini) expose_php = Off

Also of note, PHP 4 is dying. Need to move to PHP 5 asap.

Did this help you out? It took me a few days to piece together all this information together, I hope this saves you some time (who knows, maybe the future me will be thankful I wrote this down). Let me know your thoughts. shanestillwell@gmail.com