JUST an FYI
When you setup a https site on openbsd with the example httpd.conf,
the SSL Protocol SSLv2 and the SSL Ciphers medium and weak are available.
And when security metrics runs a PCI compliance
you may fail due to weak SSL Protocol and Ciphers
Here is the two lines I added under SSLEngine On
to modify the SSL to pass PCI compliance
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!EXP:RC4+RSA:+HIGH:-MEDIUM:-Low
I don't know if I needed to make "SSLProtocol" a separate line to
disable SSLv2,
the conf file suggests it can be in SSLCipherSuite., but what I did
above passed
the pci compliance test.
BTW, I tried think I tried it with +Medium and failed. The default is
something like
#SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
IF someone has something more elegant that passed the securitymetrics.com
test, do share.
