1

I'm trying to disable SSLv3 to avoid the Poodle problem. I'm using the following instructions as a guidleine: https://access.redhat.com/solutions/1232413

I've applied the following line to my config file:

SSLProtocol All -SSLv2 -SSLv3

and restarted apache, but it looks like I'm still vulnerable. I'm using this tool to verify: https://access.redhat.com/labs/poodle/

I've also done a grep to make sure SSL is not active anywhere else, which it isn't.

I came across this post: How to disable SSLv3 in Apache?, the accepted answer states that you have to put in the above line in every vhost stanza, is this true? I do have other vhosts on this server but they are required to be secure.

** EDIT: Adding sanatised config file for the site with SSL references. **

<VirtualHost *:80>
    ServerAdmin webmaster@xxxxxx.xxx
    DocumentRoot "/html/xxxxxx.xxxxxx.xxx"
    ServerAlias xxxxxx.xxxxxx.xxx
    ServerAlias xxxxxx.xxxxxx.xxx
    ServerName xxxxxx.xxxxxx.xxx
    ErrorLog logs/xxxxxx.xxxxxx.xxx-error_log
    CustomLog logs/xxxxxx.xxxxxx.xxx-access_log common
</VirtualHost>

    <VirtualHost *:443>
        ServerAdmin webmaster@xxxxxx.xxx
        DocumentRoot "/html/xxxxxxxxxxx/xxxxxx”
        ServerAlias xxxxxx.xxxxxx.xxx
        ServerAlias xxxxxx.xxxxxx.xxx
        ServerName xxxxxx.xxxxxx.xxx
        ErrorLog logs/xxxxxx.xxxxxx.xxx-error_log
        CustomLog logs/xxxxxx.xxxxxx.xxx-access_log common

        SSLEngine on

        SSLCertificateFile /path/to/cert/xxxxxx.xxxxxx.xxx.crt
        SSLCertificateKeyFile /path/to/key/xxxxxx.xxxxxx.xxx.key
        SSLCertificateChainFile /path/to/chain/xxxxxx.xxxxxx.xxx.ca

        SSLProtocol all -SSLv2 -SSLv3
        SSLCipherSuite ALL:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        ErrorLog logs/ssl_error_log
        TransferLog logs/ssl_access_log
        LogLevel warn

        <Directory "/html/xxxxxx.xxxxxx.xxx">
                DirectoryIndex index.php index.htm index.html
                Options -Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
                AllowOverride All
                Order allow,deny
                Allow from all
        </Directory>
    </VirtualHost>

My other vhost files are just standard configs for port 80, there's nothing special about them.

sudo service httpd configtest returns Syntax OK.

Community
  • 1
Stephen
  • 183
  • Could you use https://www.ssllabs.com/ssltest/ instead and verify. – Braiam Oct 20 '14 at 13:37
  • @Braiam I just tested the above link and I'm still vulnerable. – Stephen Oct 20 '14 at 13:45
  • Could you provide, the version of apache and a sanitinized copy of your httpd.conf files? Might be good also sudo apache2ctl configtest – Braiam Oct 20 '14 at 13:48
  • @Braiam details added. – Stephen Oct 20 '14 at 14:11
  • 1
    "put in the above line in every vhost stanza" I believe is true only if each vhosts has 'SSLProtocol' stated separately, which I believe is not true in your case. Could you check whether there are any other ssl.conf files on your server? – Sreeraj Oct 20 '14 at 14:54
  • @Sree I've done a grep and I can only find SSLProtocol in the mod_ssl.so and the one vhost (shown above). – Stephen Oct 20 '14 at 15:37
  • Did you check whether there are more than one config files and that you are modifying the correct one? I assume that you have already restarted/reloaded apache after making the change. – Sreeraj Oct 20 '14 at 15:53
  • @Sree I have five vhosts on this server and I'm modifying the correct one. I've used grep to make sure there are no others files hidden away. – Stephen Oct 20 '14 at 15:55
  • This is strange. Could you confirm you have restarted/reloaded apache? – Sreeraj Oct 20 '14 at 15:59
  • @Sree, yes I've done both. – Stephen Oct 20 '14 at 16:19

2 Answers2

2

I solved the problem, I had to put the following line:

SSLProtocol all -SSLv2 -SSLv3

in the /etc/httpd/conf.d/ssl.conf

For some reason the settings in the vhost config where not taking priority.

Stephen
  • 183
0

One way i used to locate all HTTPS vhost is to recursive grep all the config files under httpd/apache2 dir.

/etc/apache2# grep -nR 'SSLEngine on' .
Rabin
  • 3,883
  • 1
  • 22
  • 23