How to disable SSLv3 in Apache?

Question

Everybody seems to be talking about the POODLE vulnerability today. And everybody recommends disabling SSLv3 in Apache using the following configuration directive:

SSLProtocol All -SSLv2 -SSLv3

instead of the default

SSLProtocol All -SSLv2

I've done that, and no joy – after testing repeatedly with various tools (here's a fast one), I find that SSLv3 is happily accepted by my server.

Yes, I did restart Apache. Yes, I did a recursive grep on all configuration files, and I don't have any override anywhere. And no, I'm not using some ancient version of Apache:

[root@server ~]# apachectl -v
Server version: Apache/2.2.15 (Unix)
Server built:   Jul 23 2014 14:17:29

So, what gives? How does one really disable SSLv3 in Apache?

As explained in the question, I have performed all steps indicated in that section and SSL3 is still available. I couldn't tell you which specific part of that section fails to disable SSL3, but the point is that it just doesn't, in its entirety. Having said that, I understand you have your moderator hat on at the moment, so please unhold the question — it might well prove that I'm a moron and I made an elementary mistake, but from a moderator's POV this is a legitimate question. — , Oct 16 '14 at 11:12

score 81 · Accepted Answer · edited Jul 09 '15 at 06:18

81

I had the same problem... You have to include SSLProtocol all -SSLv2 -SSLv3 within every VirtualHost stanza in httpd.conf

The VirtualHost stanzas are generally towards the end of the httpd.conf file. So for example:

...
...
<VirtualHost your.website.example.com:443>
    DocumentRoot /var/www/directory
    ServerName your.website.example.com

    ...
    SSLEngine on
    ...
    SSLProtocol all -SSLv2 -SSLv3
    ...
</VirtualHost>

Also check ssl.conf or httpd-ssl.conf or similar because they may be set there, not necessarily in httpd.conf

edited Jul 09 '15 at 06:18

Community

1

answered Oct 16 '14 at 12:56

darcoli

826

3

For the record, depending on your sysadmin/webmaster, VirtualHosts might just as well live within their own dedicated file in conf.d (that's how I like to keep house, and it's something I learned, not something I invented, so I expect I'm not the only one). – Bogdan Stăncescu Oct 17 '14 at 20:31
3

Note that as of at least Apache 2.4+ SSLProtocol configured outside of VirtualHost stanzas will apply to all virtual hosts. – nurikabe Jan 13 '15 at 14:01
2

I found this tool that will test, among other things, whether your server has SSLv3 disabled: https://www.ssllabs.com/ssltest/index.html – amphetamachine Mar 04 '15 at 16:59
1

This answer was very helpful for me when disabling TLSv1. To check if a given protocol is fully disabled, I found the following useful: nmap -sV --script ssl-enum-ciphers -p 443 <hostname>. – Luca Citi Jul 09 '18 at 16:29
Is there a way to set up the SSLProtocol system-wide, without having to edit each VirtualHost? – Dunatotatos Jun 26 '19 at 08:23

score 10 · Answer 2 · edited Jan 03 '18 at 12:02

10

I had the same problem on Ubuntu 14.04. After reading this, I edited the section "SSLProtocol" in /etc/apache2/mods-available/ssl.conf.

from: SSLProtocol all
to: SSLProtocol all -SSLv2 -SSLv3 -TLSV1

But it didn't work. So I edited the following section too "SSLCipherSuite" in /etc/apache2/mods-available/ssl.conf.

from: SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
to: SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SSLv3:!SSLv2:!TLSv1

And now it now works for me.

By the way, the Cipher Suites are not affected by POODLE, only the protocol -- but most browsers are okay with a disabled SSLv3 Cipher Suite.

Don't use this for a Mailserver! Or you will (maybe) face the problem of not being able to fetch your Mails on some devices.

edited Jan 03 '18 at 12:02

Jeff Schaller

67,283
35
116
255

answered Oct 23 '14 at 15:01

BlueM00n

109
4

Thank you. This answer worked in WHM/cPanel setup. I tried other methods suggested online and yours was the only one that worked. – Wojciech Zylinski Oct 29 '14 at 15:59
1

This works, but it will disable access with IE 10, as it uses SSLv3 and TLS1.0 by default. – Erebus Feb 13 '15 at 21:27

score 4 · Answer 3 · answered Oct 22 '14 at 11:25

4

For Ubuntu 10.04

To disable SSLv3 on all active vhosts you need the option in

/etc/apache2/mods-available/ssl.conf :

SSLProtocol all -SSLv2 -SSLv3

answered Oct 22 '14 at 11:25

Hubsidubsidu

41
1

score 2 · Answer 4 · edited Oct 20 '14 at 13:49

2

I had a similar problem this morning, and I found another virtualhost enabling SSLv3, so the entire server responds to SSLv3 connections.

So, make sure that none of your hosts has SSLv3 active.

edited Oct 20 '14 at 13:49

terdon

242,166

answered Oct 16 '14 at 07:56

anon · Answer 5 · 2014-10-17T21:25:42.437

1

Be sure the SSLCipherSuite does not contain !SSLv3. In that context, it also refers to TLS1.0 and TLS1.1.

For example, if your config is SSLProtocol All, only TLS1.2 will be available due to how SSLCipherSuite is configured with !SSLv3.

edited Oct 17 '14 at 21:25

answered Oct 17 '14 at 21:15

anon

21

score 0 · Answer 6 · edited Oct 26 '15 at 14:29

0

The method which you are using is for new version of Apache and Openssl. It might be possible that new version of these doesn't installed on your system, verify current installed version.

Since SSLv2 and SSLv3 both are vulnerable of some attacks, so it would be better to use only TLS. So modify your apache conf file as follows,

SSLProtocol TLSv1 TLSv1.1 TLSv1.2

or

SSLProtocol TLSv1

edited Oct 26 '15 at 14:29

Community

1

answered Oct 16 '14 at 06:49

ifexploit

661

Yes, I also tried that – no joy. :-( – Oct 16 '14 at 06:59
can you please paste the output of "apachectl configtest" command. – ifexploit Oct 16 '14 at 07:04

score 0 · Answer 7 · answered Oct 19 '14 at 22:01

For CentOs users having trouble editing your SSL configuration file via SSH, try disabling SSLv3 via WHM:

Step 1: Navigate to the Include Editor

-Login to WHM -Open up the "Apache Configuration" screen, and click on "Include Editor"

Step 2: Edit the Includes

-Under "Pre Main Include", select "All Versions". This way your server will be protected if you change your version of Apache. When selected, enter the following into the text box:

On CentOS/RHEL 6.x:

SSLHonorCipherOrder On
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2

On CentOS/RHEL 5.x:

SSLHonorCipherOrder On
SSLProtocol -All +TLSv1

…and then click Update.

Once you click update, you’ll be prompted to restart Apache; do so at this time.

original source: https://www.liquidweb.com/kb/how-to-disable-sslv3-and-protect-your-whmcpanel-server-from-poodle/

This answer is relevant for servers controlled via WHM/cPanel, not for servers running CentOS. — Bogdan Stăncescu, Oct 20 '14 at 13:57

score 0 · Answer 8 · answered Mar 07 '17 at 08:14

I had a similar issue and I had checked that I had all the appropriate apache settings correct.

However what I missed was that I had nginx as a reverse proxy in front of apache. I also happen to be using Plesk and this is from their POODLE fixes guide:

If you are running Nginx, include the following line in your configuration among the other SSL directives in the /etc/nginx/nginx.conf :

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

How to disable SSLv3 in Apache?

8 Answers8

Linked