How to disable SSLv3 in Apache?
Everybody seems to be talking about the POODLE vulnerability today. And everybody recommends disabling SSLv3 in Apache using the following configuration directive:
SSLProtocol All -SSLv2 -SSLv3
instead of the default
SSLProtocol All -SSLv2
I've done that, and no joy – after testing repeatedly with various tools (here's a fast one), I find that SSLv3 is happily accepted by my server.
Yes, I did restart Apache. Yes, I did a recursive
grepon all configuration files, and I don't have any override anywhere. And no, I'm not using some ancient version of Apache:
[[email protected] ~]# apachectl -v Server version: Apache/2.2.15 (Unix) Server built: Jul 23 2014 14:17:29
So, what gives? How does one really disable SSLv3 in Apache?
As explained in the question, I have performed all steps indicated in that section and SSL3 is still available. I couldn't tell you which specific part of that section fails to disable SSL3, but the point is that it just doesn't, in its entirety. Having said that, I understand you have your moderator hat on at the moment, so please unhold the question — it might well prove that I'm a moron and I made an elementary mistake, but from a moderator's POV this is a legitimate question.
I had the same problem... You have to include
SSLProtocol all -SSLv2 -SSLv3within every VirtualHost stanza in httpd.conf
The VirtualHost stanzas are generally towards the end of the httpd.conf file. So for example:
... ... <VirtualHost your.website.example.com:443> DocumentRoot /var/www/directory ServerName your.website.example.com ... SSLEngine on ... SSLProtocol all -SSLv2 -SSLv3 ... </VirtualHost>
Also check ssl.conf or httpd-ssl.conf or similar because they may be set there, not necessarily in httpd.conf
For the record, depending on your sysadmin/webmaster, VirtualHosts might just as well live within their own dedicated file in conf.d (that's how I like to keep house, and it's something I learned, not something I invented, so I expect I'm not the only one).
Note that as of at least Apache 2.4+ `SSLProtocol` configured outside of VirtualHost stanzas will apply to all virtual hosts.
I found this tool that will test, among other things, whether your server has SSLv3 disabled: https://www.ssllabs.com/ssltest/index.html
This answer was very helpful for me when disabling TLSv1. To check if a given protocol is fully disabled, I found the following useful: `nmap -sV --script ssl-enum-ciphers -p 443 `.