I need to create a new server that will require an SSL Cert and it must pass PCI Standards. My current install is on Debian Lenny with the latest ISPConfig and the openssl is only SHA1. I need a better SSL Version at a minimum of SHA2. This is a 5 point hit on the PCI scan. Will I need to changed Distro's of Linux to make this happen? (I also have a server running Squeeze and the openssl is only SHA1 as well.) One of the major hits on the PCI Scan (10 points) is that the AutoIndex is enabled. Do I need to add the -Index on any Directory Section in all of my sites-enabled vhost files or in ISPCOnfig site settng via the apache2 directives, or is there just one place I can put this. Another hit is TCP reset. I'm not sure if this is on the Cisco/Linksys router I am using or if it's on the box. They point me to a lot of cisco's pages so I am assuming it is the router. I think I can fix this by turning off https on the router. Another is that on port 587 (which I need because of ISP's turning off port 25 access, says that I am vulnerable because it makes it able to detect which operating system I am running. They say it is showing the name of my mail server (which handles everything) and it says ESMTP Postfix (Debian/GNU). Is there a way to turn this off? Everything is kept up to date on the system unless there is another repository I don't know about that should be in my sourcelist. The company doing the scan is Security Metrics. (Major Pain, but just doing their job)
