PCI scan picking up various weak cipher suites

The PCI scans appear to be picking up some weak cipher suites on HTTPS, POP3S, IMAPS and SMTPS. This is easily fixed with the following configuration file examples:

Apache ssl.conf (or httpd.conf ):

#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
#SSLCipherSuite ALL:-ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
SSLProtocol -ALL +SSLv3 +TLSv1

If using courier for imap & pop3 the imapd-ssl and pop3d-ssl files will need updating in /etc/courier-imap, or, where ever the configuration files are.

imapd-ssl:

TLS_CIPHER_LIST=”HIGH:MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH”

pop3d-ssl:

TLS_CIPHER_LIST=”HIGH:MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH”

And if using qmail for SMTP/s you may need to create the tlsserverciphers file in /var/qmail/control/. You can do this with:

openssl ciphers > /var/qmail/control/tlsserverciphers

Then remove the ciphers that PCI are complaining about. In this case they were: EXP-RC2-CBC-MD5, EXP-RC4-MD5, EXP-EDH-RSA-DES-CBC-SHA, EXP-DES-CBC-SHA, EXP-RC2-CBC-MD5, EXP-RC4-MD5, EXP-EDH-RSA-DES-CBC-SHA, EXP-DES-CBC-SHA, EXP-RC2-CBC-MD5,EXP-RC4-MD5

Or, even better:

Directory: /etc/httpd/conf.d/
File: /etc/httpd/conf.d/zz050-psa-disable-weak-ssl-ciphers.conf
SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
SSLProtocol -ALL +SSLv3 +TLSv1 -SSLv2

Directory: /var/qmail/control/
[root@server control]# cat tlsserverciphers
ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:+HIGH:!MEDIUM:-SSLv2
[root@server1 control]# cat tlsclientciphers
ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:-SSLv2

Directory: /etc/courier-imap
[root@server courier-imap]# grep TLS_CIPHER_LIST= *-ssl
imapd-ssl:TLS_CIPHER_LIST=”HIGH:MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH”
pop3d-ssl:TLS_CIPHER_LIST=”HIGH:MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH”

I tested this by removing one of the above and trying to connect:

# openssl s_client -cipher EXP-RC4-MD5 -connect localhost:smtps
CONNECTED(00000003)
25857:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:489:

Then I put it back in the list and tried again and could connect again.  Manually connections with: openssl s_client -ssl2 -connect host:port

Update 25/02/2010:

Additional URLs: