Apache disable SSLv2 SSLv3
I just solved this myself with the POODLE exploit.
For OpenSuSE only, add the following into your /etc/apache2/ssl-global.conf
<IfDefine SSL>
<IfDefine !NOSSL>
<IfModule mod_ssl.c>
#Your other stuff
SSLProtocol All -SSLv2 -SSLv3
</IfModule>
</IfDefine>
</IfDefine>
Save, exit, and restart apache with the following rcapache2 restart
If there are still any problems let me know.
Related videos on Youtube
04 : 40
02 : 56
04 : 57
01 : 48
02 : 14
manderda
Updated on September 18, 2022Comments
-
manderda over 1 year
I know that there are some Questions around here that comes along with this Topic. But I really don't know what I can do anymore.
So here's the point:
- I am using Apache 2.2.22 on OpenSuse 12.3.
- The SSLProtocol option is in my ssl.conf
I have tried out all of this options:
SSLProtocol ALL -SSLv2 -SSLv3 ---------- SSLProtocol +TLSv1 -SSLv2 -SSLv3 ---------- SSLProtocol TLSv1 ---------- SSLProtocol -ALL TLSv1 ----------
But what ever I try, still all Protocol are available...
Why can't I disable it?
Edit: So i have tried so much out that i want to recap it:
I only have one declaration of SSLProtocol and it doesn't matter where I put it (in my vhost conf or my ssl-default conf).
I know that it is loaded, because the denying of all protocols with the option "-all" works fine. The denying of a special protocol doesn't work (like the option -SSLv3). If one protocol is allowed, every protocol is available (for example with "SSLProtocol TLSv1 -SSLv2 -SSLv3" or "SSLProtocol -all TLSv1" every protocol is available!).
Some ideas?-
Thomas K over 9 yearsHow do you know they are available? If you try connecting with "openssl s_client -ssl3 -host [your ip] -port 443" You will get "routines:SSL3_GET_RECORD:wrong version number if its not supported. If it's supported you will see a certificate and much more.
-
manderda over 9 yearsI checked it with "opensll s_client..." and I checked it with ssllabs.com
-
Sreeraj over 9 yearsDo you have more than one ssl.conf on your server? Are there separate SSL entries for vhosts?
-
Thomas K over 9 yearsHave you tried with "-ALL" in lower case? In httpd.apache.org/docs/2.2/ssl/ssl_howto.html the syntax is in lower case for SSLProtocol and upper case for SSLCipherSuite.
-
manderda over 9 yearsNo there is only 1 ssl.conf and there i tried the lover case '-all'. Still no change
-
manderda over 9 yearsI have already tried that...
-
SailorCire over 9 years@manderda, What tool are you using to check that SSLv3 is still present?
-
manderda over 9 yearsWith Site conf you mean where my VirtualHost is defined? I dont have a site.conf file...
-
xx4h over 9 yearsYep. Take SITE conf and SITE definition as synonyms here -
manderda over 9 yearsokay, my ssl conf is loaded before my site conf. SSLv2 and SSLv3 still available.
-
manderda over 9 yearsas I said before: I am checking my Server with SSLLabs.com and with "openssl s_client -connect website:443 -quiet -ssl2"
-
xx4h over 9 yearsMaybe it's overwritten globally by another conf file (inside a VirtualHost only applies to the VirtualHost itself).
grep -Ri SSLProtocol /etc/httpd(or maybe /etc/apache2). -
manderda over 9 yearsI have searched the /etc/apache2/ folder with 'grep -nR "SSLProtocol" .' and the only time it gets called is in my ssl.conf.
-
xx4h over 9 yearsJust append
SSLProtocol ...to the VirtualHost and check if that works. -
SailorCire over 9 years@manderda what is in the respective vhosts and in httpd.conf? Your original question explicitly mentions
ssl.confwhile the default for OpenSuSE is to usessl-global.conf -
manderda over 9 yearsI do mean the ssl-global.conf. Sorry for that misstake
-
manderda over 9 yearsI have already tried that. I'm pretty sure that the SSLProtocol is loaded from the ssl-gloabl.conf file. Because if I do "SSLProtocol -all" I'll get an Error when I restart the apache cause no SSLProtocol is given
-
SailorCire over 9 years@manderda I agree with @xx4h and see if appending the SSL to the bottom of your
vhost.conffile and try that. -
manderda over 9 yearsI tried that... still no change. If i don't declare any protocol or deactivate all with "-all" I get an error when I start the Apache (which shows, that the option takes effect). But when I declare any protocol (E.G. "SSLProtocol SSLv2" all protocols are available. It doesn't matter if I deactivate them with "-SSLv3 or TLSv1". How can that be?
