How to Disable SSLv2 for Apache httpd
Solution 1
Change SSLProtocol and SSLCipherSuite lines to,
SSLProtocol -ALL +SSLv3 +TLSv1 -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
Reload your apache for the configuration to take effect.
The SSLHonorCipherOrder On will try the ciphers in the order it is specified.
Above configuration passes the check on ssllabs.com except for TLS version. My CentOS 6 only supports TLS 1.0 because of OpenSSL 1.0.0. OpenSSL 1.0.1 supports TLS 1.1 and 1.2.
Do you have any load balancer or proxy in front of your apache?
Solution 2
You might want to make sure that there isn't another SSLProtocol
or SSLCiperSuite
direcive anywhere in your Apache config that's overriding the one you just added.
If you can't find it, try adding those two to your SSL vhost rather than ssl.conf
. This will help ensure that the correct ones are the last ones applied.
Related videos on Youtube
Yahoo
Updated on September 18, 2022Comments
-
Yahoo over 1 year
I just tested my site on https://www.ssllabs.com/ and it said SSLv2 is insecure and I should disable that along with weak Cipher Suites.
How can I disable that? I tried the following but it isn’t working.
-
Went to
/etc/httpd/conf.d/ssl.conf
by ftp. AddedSSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT
Connected to server by putty and gave
service httpd restart
command.
But still its showing unsecure on the site. How can I Fix it? My server is Plesk 10.3.1 CentOS. There are 3-4 sites on the same server.
-
Admin almost 12 yearsA few years ago I had problem while renewing an ssl certificate. The new configuration was ignored, even after an apache restart. Stopping apache then starting apache solved the problem.
-
Yahoo almost 12 years@EricDANNIELOU - I rebooted the whole server , Still no luck
-
-
Yahoo almost 12 yearsThere isnt any duplicate entry in the file . How can I check in SSL Vhost ? Where is this file placed ? (Am new here )
-
Yahoo almost 12 years
/var/www/vhosts/mydomain/conf/vhost_ssl.conf
&/var/www/vhosts/mydomain/conf/vhost.conf
In both the files I have AddedSSLProtocol -ALL +SSLv3 +TLSv1 SSLHonorCipherOrder On SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
still isnt working :/ -
Yahoo almost 12 yearsHowever when I run this , I get an Error . So it seems its disabled ,but the site isn't showing it.
openssl s_client -ssl2 -connect localhost:443 CONNECTED(00000003) 21731:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428: ]0;root@u15341216:~[root@u15341216 ~]#
-
Chida almost 12 yearsIt could be coming from your loadbalancer or proxy from some other backend application. Without much details on your setup/architecture, it is hard to debug. The configuration I mentioned, works for my apache that serves SSL directly and ssllabs.com gives me a rating of 88.
-
Yahoo almost 12 yearsSo I should Disable the load balancer , If its there on the system ? How can I find out if its installed on not?
-
MathieuB almost 12 yearsIf apache listens on port *:80 and you server has the public ip corresponding to your website, there is no loadbalancer. Also check dns records for round robin.
-
Chida almost 12 yearsCould you post your apache configuration files?
-
Chida over 11 yearsAdi, did this work for you? Could you post your apache config files?
-
Yahoo over 11 years@Chida = No . Its still not working . Do you need the ssl.conf file ?
-
Yahoo over 11 years@Chida- I can email them , Can I know your email Id ?
-
Yahoo over 11 years@Chida -I uploaded the Files at adimathur.com/ssl.zip
-
Paul about 9 yearsI think the user only wanted to remove SSL v2.
-
Deer Hunter about 9 yearsAre you using Plesk? Please elaborate on how your situation matches that described in the original question.