New PCI SSLCipherSuite requirements

6 posts / 0 new
Last post
#1 Thu, 10/27/2011 - 15:03
sgrayban Pro Licensee

New PCI SSLCipherSuite requirements

I just finished a long conference call with my PCI compliant provider and VISA.

After testing on several servers I found some weakness in the current SSLCipherSuite in both webmin and usermin plus normal SSL sites. The following information came from testing at and info from

The Cipher's that both my PCI provider and I came up with that will be the best security for any SSL attacks is.....


For apache these lines are now required by my PCI provider and other providers will be contacted to update their requirements in a few days.

SSLHonorCipherOrder     On
SSLCipherSuite          ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!SSLv2:!SSLv3:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM

Both Webmin and Usermin must be updated to use those Cipher's in that order to maintain PCI compliance.

I will be updating my PCI docs to include the new settings that will be required.

If anyone has questions you can contact me directly via email (sgrayban[at] or via phone +1.509.279.0285

Tue, 12/11/2012 - 17:28

Using this for SSLCipherSuite worked for me with OpenSSL version 0.9.8 but didn't work with 0.9.7 to mitigate the BEAST.

openssl ciphers -v 'ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:!MD5:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM'

Between OpenSSL version the cipher suites will be same except for the following:

0.9.7 has:

EXP1024-RC4-SHA         SSLv3 Kx=RSA(1024) Au=RSA  Enc=RC4(56)   Mac=SHA1 export

where 0.9.8 doesn't

and 0.9.8 has:

AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1

where 0.9.7 doesn't.

Not 100% sure it's the OpenSSL version creating the difference. My two servers are running CentOS 4.x and 5.x. So, they're generally similar but not identical.

Thu, 08/15/2013 - 13:17


Two questions:

  1. Why do you repeat AES256-SHA256 twice in your config statement?
  2. Why do you disallow AESGCM?
Fri, 10/17/2014 - 15:28

I had exactly the same questions @hudibu!

I found this list is now installed by Virtualmin when installed on Debian, but those two entries make little sense to me. What am I missing?

Wed, 10/22/2014 - 01:10 (Reply to #4)
sgrayban Pro Licensee

It was a typo

Wed, 10/22/2014 - 04:15
sgrayban Pro Licensee

To prevent the beast and poodle attacks in webmin/usermin the following cypher list is now required.... <-- this will give you exactly what you need to add or change to your miniserv.conf files