My web server PCI compliance scan warns about using RC4
Linode
Linode Staff
I'm trying to set up a web server that passes a PCI compliance test. The test is reporting that the RC4 cipher used by my web server is considered weak. Here's what the test result shows:
SSL/TLS use of weak RC4 cipher
CIPHER KEY-EXCHANGE AUTHENTICATION MAC ENCRYPTION GRADE SSLv3 WITH RC4 CIPHERs IS SUPPORTED RC4-SHA RSA RSA SHA1 RC4 MEDIUM ECDHE-RSA-RC4-SHA ECDH RSA SHA1 RC4 MEDIUM TLSv1 WITH RC4 CIPHERs IS SUPPORTED RC4-SHA RSA RSA SHA1 RC4 MEDIUM ECDHE-RSA-RC4-SHA ECDH RSA SHA1 RC4 MEDIUM TLSv1.1 WITH RC4 CIPHERs IS SUPPORTED RC4-SHA RSA RSA SHA1 RC4 MEDIUM ECDHE-RSA-RC4-SHA ECDH RSA SHA1 RC4 MEDIUM TLSv1.2 WITH RC4 CIPHERs IS SUPPORTED RC4-SHA RSA RSA SHA1 RC4 MEDIUM ECDHE-RSA-RC4-SHA ECDH RSA SHA1 RC4 MEDIUM
How can I address this?
1 Reply
nmelehan
Linode Staff
One way to address this is to remove RC4 as an available cipher for your web server. If you're using Apache, this documentation talks about how to adjust your ciphers:
https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html
Specifically, you can control which cipher you use with the SSLCipherSuite parameter. Here's a common default setting for Apache:
SSLCipherSuite HIGH:!aNULL:!MD5
If yours looks like this, then you can exclude RC4 by adding the !RC4 option to the end of that line:
SSLCipherSuite HIGH:!aNULL:!MD5:!RC4
This page describes some useful secure options for your SSL:
I'm not sure if those will pass PCI Compliance, but it could be worth trying them out. If you do this, you'll want to make a backup of your current configuration first.