One of AIS’s customers is currently performing PCI Compliance Audits. One of the core tenants of PCI compliance is the hardening of all external facing corporate e-assets.
During the course of the auditing, the SVN port was noted as a security risk (I.E. the port failed the audit due to weak encryption). While the practice of an external facing SVN port in a PCI compliant organization is a point of debate, this customer had legitimate corporate need to continue supporting the SVN environment.
Kudos for the solution do not fall to AIS as the solution was divined by the customer’s internal PCI guru. In the interest of knowledge sharing, the customer has granted AIS the right to publish the solution here.
VisualSVN Server is a very robust, easy to administer, and easier to install SVN server based on the Apache server. While making an Apache install PCI compliant is a well documented process, translating those steps to VisualSVN server proved to be a little more difficult.
Goals
- Disable TraceRoute
- Enable SSL3 and TSL1
- Disable weak encryption
Solution
- Locate the configuration directory (Conf) located in the VisualSVN server install directory
- Add the following lines into the httpd-customer.conf file
TraceEnable off
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM