1

I'm trying to disable SSLv3 to avoid the Poodle problem. I'm using the following instructions as a guidleine: https://access.redhat.com/solutions/1232413

I've applied the following line to my config file:

SSLProtocol All -SSLv2 -SSLv3

and restarted apache, but it looks like I'm still vulnerable. I'm using this tool to verify: https://access.redhat.com/labs/poodle/

I've also done a grep to make sure SSL is not active anywhere else, which it isn't.

I came across this post: How to disable SSLv3 in Apache?, the accepted answer states that you have to put in the above line in every vhost stanza, is this true? I do have other vhosts on this server but they are required to be secure.

** EDIT: Adding sanatised config file for the site with SSL references. **

<VirtualHost *:80>
    ServerAdmin [email protected]
    DocumentRoot "/html/xxxxxx.xxxxxx.xxx"
    ServerAlias xxxxxx.xxxxxx.xxx
    ServerAlias xxxxxx.xxxxxx.xxx
    ServerName xxxxxx.xxxxxx.xxx
    ErrorLog logs/xxxxxx.xxxxxx.xxx-error_log
    CustomLog logs/xxxxxx.xxxxxx.xxx-access_log common
</VirtualHost>

    <VirtualHost *:443>
        ServerAdmin [email protected]
        DocumentRoot "/html/xxxxxxxxxxx/xxxxxx”
        ServerAlias xxxxxx.xxxxxx.xxx
        ServerAlias xxxxxx.xxxxxx.xxx
        ServerName xxxxxx.xxxxxx.xxx
        ErrorLog logs/xxxxxx.xxxxxx.xxx-error_log
        CustomLog logs/xxxxxx.xxxxxx.xxx-access_log common

        SSLEngine on

        SSLCertificateFile /path/to/cert/xxxxxx.xxxxxx.xxx.crt
        SSLCertificateKeyFile /path/to/key/xxxxxx.xxxxxx.xxx.key
        SSLCertificateChainFile /path/to/chain/xxxxxx.xxxxxx.xxx.ca

        SSLProtocol all -SSLv2 -SSLv3
        SSLCipherSuite ALL:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        ErrorLog logs/ssl_error_log
        TransferLog logs/ssl_access_log
        LogLevel warn

        <Directory "/html/xxxxxx.xxxxxx.xxx">
                DirectoryIndex index.php index.htm index.html
                Options -Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
                AllowOverride All
                Order allow,deny
                Allow from all
        </Directory>
    </VirtualHost>

My other vhost files are just standard configs for port 80, there's nothing special about them.

sudo service httpd configtest returns Syntax OK.

Improve this question
10
  • Could you use ssllabs.com/ssltest instead and verify. Commented Oct 20, 2014 at 13:37
  • @Braiam I just tested the above link and I'm still vulnerable. Commented Oct 20, 2014 at 13:45
  • Could you provide, the version of apache and a sanitinized copy of your httpd.conf files? Might be good also sudo apache2ctl configtest Commented Oct 20, 2014 at 13:48
  • @Braiam details added. Commented Oct 20, 2014 at 14:11
  • 1
    "put in the above line in every vhost stanza" I believe is true only if each vhosts has 'SSLProtocol' stated separately, which I believe is not true in your case. Could you check whether there are any other ssl.conf files on your server? Commented Oct 20, 2014 at 14:54

2 Answers 2

Reset to default
2

I solved the problem, I had to put the following line:

SSLProtocol all -SSLv2 -SSLv3

in the /etc/httpd/conf.d/ssl.conf

For some reason the settings in the vhost config where not taking priority.

Improve this answer
0

One way i used to locate all HTTPS vhost is to recursive grep all the config files under httpd/apache2 dir.

/etc/apache2# grep -nR 'SSLEngine on' .
Improve this answer
4
  • I used the following: sudo grep -r -i 'SSLProtocol' /etc/httpd and it just returned results in mod_ssl and my vhost config file. Commented Oct 20, 2014 at 14:13
  • Above command just returns results in my vhost file. Commented Oct 20, 2014 at 14:14
  • grep for 'SSLEngine on' not 'SSLProtocol' Commented Oct 20, 2014 at 14:50
  • I did it just returned the one result. Commented Oct 20, 2014 at 15:38

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.