Facebook
TwitterWhile reseaching PCI Compliance on Ubuntu I couldn't find much info for Ubuntu so here's what has got me PCI Compliant -
Plesk 10.4.4 MU42 PCI Compliance on Ubuntu 8.04 LTS September 2012
Apache
Add to or create /etc/apache2/conf.d/zz050-psa-disable-weak-ssl-ciphers.conf add
And restart apache
/etc/init.d/apache2 restart
Postfix
Open /etc/postfix/main.cf in your favourite editor eg
vi /etc/postfix/main.cf
And add the following -
save the file and restart Postfix
/etc/init.d/postfix restart
Courier-Imap
Here you need to edit two files, /etc/courier-imap/pop3d-ssl and /etc/courier-imap/imapd-ssl in both files find the line TLS_CIPHER_LIST and add RC4-SHA like this –
Save the file and restart courier-imap –
/etc/init.d/courier-imap restart
Qmail
Here you need to edit or create files /var/qmail/control/tlsserverciphers and /var/qmail/control/tlsclientciphers
And add
Save the files and restart qmail
/etc/init.d/qmail restart
Plesk 10.4.4
Here you need to create the file /opt/psa/admin/conf/cipher.lst and add
and restart the Plesk server -
/etc/init.d/sw-cp-server restart
Now you can check your ciphers at http://serversniff.net/content.php?do=ssl
I have used just RC4-SHA on everything except Apache as that honoured the cipher order and others didn’t want to.
I will look into this further at some point, but for the time being we are PCI Compliant and have mitigated against BEAST on all ports.
I hope this helps someone else.
Regards
Lloyd
Plesk 10.4.4 MU42 PCI Compliance on Ubuntu 8.04 LTS September 2012
Apache
Add to or create /etc/apache2/conf.d/zz050-psa-disable-weak-ssl-ciphers.conf add
And restart apache
/etc/init.d/apache2 restart
Postfix
Open /etc/postfix/main.cf in your favourite editor eg
vi /etc/postfix/main.cf
And add the following -
save the file and restart Postfix
/etc/init.d/postfix restart
Courier-Imap
Here you need to edit two files, /etc/courier-imap/pop3d-ssl and /etc/courier-imap/imapd-ssl in both files find the line TLS_CIPHER_LIST and add RC4-SHA like this –
Save the file and restart courier-imap –
/etc/init.d/courier-imap restart
Qmail
Here you need to edit or create files /var/qmail/control/tlsserverciphers and /var/qmail/control/tlsclientciphers
And add
Save the files and restart qmail
/etc/init.d/qmail restart
Plesk 10.4.4
Here you need to create the file /opt/psa/admin/conf/cipher.lst and add
and restart the Plesk server -
/etc/init.d/sw-cp-server restart
Now you can check your ciphers at http://serversniff.net/content.php?do=ssl
I have used just RC4-SHA on everything except Apache as that honoured the cipher order and others didn’t want to.
I will look into this further at some point, but for the time being we are PCI Compliant and have mitigated against BEAST on all ports.
I hope this helps someone else.
Regards
Lloyd
Last edited:
