Force SSLv3 on Mac OS X Server for PCI Compliance

These instructions disables SSLv2 on Mac OS X Server for clients who are going through PCI compliance certification which requires SSLv3.

There are additional files to the httpd.conf that Server Admin uses to create that file initially. I haven’t tested whether it makes sense to edit those files as well so add on if you think so. They are in the same folder with different extensions.

1. Open Terminal.
2. Enter openssl s_client -connect [server name]:443 -ssl2 and you should see results (see below for result if SSSLv2 is already disabled).
3. Enter openssl s_client -connect [server name]:443 -ssl3 and you should see results.
4. Visit their website and view their https pages so you can later confirm all works.

1. Open Terminal.
2. Enter sudo pico /private/etc/httpd/httpd.conf and password.
3. Scroll down to ##SSL Stuff and add lines after the text below <IfModule mod_ssl.c> but before </IfModule>
   • ##MACWORKS Added these two lines to disable SSLv2
   • SSLProtocol -ALL +SSLv3 +TLSv1
   • SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
4. Hit Control + O to save and Yes and Return.
5. In Server Admin Stop and Restart Web Services.

1. Open Terminal.
2. Enter openssl s_client -connect [server name]:443 -ssl2 and you should see the following error:
   • 11358:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:
3. Enter openssl s_client -connect [server name]:443 -ssl3 and you should see results.
4. Visit their website and view their https pages to confirm you didn’t break the site.