• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 646
  • Last Modified:

PCI uncompliant apache Tomcat site after installation of SSL certificate on server

I've got problems getting our TomCat application PCI compliant after installing an SSL certificate on the server.
After installing a SSL certificate on our server (that hosts multiple sites) one of our sites that are NON-SSL, on the same server, gets PCI uncompliant. It seems like the PCI scan thinks the site is SSL due to the certifificate installation on the server.



The description of the problem is as followed:
"The remote host supports the use of SSL ciphers that offer either weak
encryption or no encryption at all."

Note: This is considerably easier to exploit if the attacker is on the
same physical network.

General Solution:
"Reconfigure the affected application if possible to avoid use of weak
ciphers."


Is there a way to disable SSL for this specific Tomcat site, that is hosted on the same server?
(To get PCI compliance for the site)
0
dianyk
Asked:
dianyk
  • 2
1 Solution
 
vinsvinCommented:
Depending on your needs, you can come up with an SSLCipherSuite line that handles the job for you.

http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite

0
 
dianykAuthor Commented:
Issue solved. All I needed to to was to change chipher accepted in server.mxl
0
 
dianykAuthor Commented:
It was an easy configuration in the server.xml. 100% solution
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now