How to disable SSLv3 in Apache?

  • Everybody seems to be talking about the POODLE vulnerability today. And everybody recommends disabling SSLv3 in Apache using the following configuration directive:

    SSLProtocol All -SSLv2 -SSLv3
    

    instead of the default

    SSLProtocol All -SSLv2
    

    I've done that, and no joy – after testing repeatedly with various tools (here's a fast one), I find that SSLv3 is happily accepted by my server.

    Yes, I did restart Apache. Yes, I did a recursive grep on all configuration files, and I don't have any override anywhere. And no, I'm not using some ancient version of Apache:

    [[email protected] ~]# apachectl -v
    Server version: Apache/2.2.15 (Unix)
    Server built:   Jul 23 2014 14:17:29
    

    So, what gives? How does one really disable SSLv3 in Apache?

    As explained in the question, I have performed all steps indicated in that section and SSL3 is still available. I couldn't tell you which specific part of that section fails to disable SSL3, but the point is that it just doesn't, in its entirety. Having said that, I understand you have your moderator hat on at the moment, so please unhold the question — it might well prove that I'm a moron and I made an elementary mistake, but from a moderator's POV this is a legitimate question.

  • darcoli

    darcoli Correct answer

    6 years ago

    I had the same problem... You have to include SSLProtocol all -SSLv2 -SSLv3 within every VirtualHost stanza in httpd.conf

    The VirtualHost stanzas are generally towards the end of the httpd.conf file. So for example:

    ...
    ...
    <VirtualHost your.website.example.com:443>
        DocumentRoot /var/www/directory
        ServerName your.website.example.com
    
        ...
        SSLEngine on
        ...
        SSLProtocol all -SSLv2 -SSLv3
        ...
    </VirtualHost>
    

    Also check ssl.conf or httpd-ssl.conf or similar because they may be set there, not necessarily in httpd.conf

    For the record, depending on your sysadmin/webmaster, VirtualHosts might just as well live within their own dedicated file in conf.d (that's how I like to keep house, and it's something I learned, not something I invented, so I expect I'm not the only one).

    Note that as of at least Apache 2.4+ `SSLProtocol` configured outside of VirtualHost stanzas will apply to all virtual hosts.

    I found this tool that will test, among other things, whether your server has SSLv3 disabled: https://www.ssllabs.com/ssltest/index.html

    This answer was very helpful for me when disabling TLSv1. To check if a given protocol is fully disabled, I found the following useful: `nmap -sV --script ssl-enum-ciphers -p 443 `.

    Is there a way to set up the `SSLProtocol` system-wide, without having to edit each VirtualHost?

License under CC-BY-SA with attribution


Content dated before 6/26/2020 9:53 AM