1

i am trying to turn of SSLv2 and SSLv3 on my Apache 2.2.22 on SUSE.

I disabled SSLv2 and SSLv3 in my /etc/apache2/vhost.d/vhost-ssl.conf with this command:

SSLProtocol all -SSLv2 -SSLv3

When i check my Website over ssllabs.com it still says that both versions of SSL are available.

What do i miss?

Regards

manderda
  • 80
  • 1
  • 8
  • have you restart the httpd service? You can restart the Apache service with the following command sudo service httpd restart – TheLukeMcCarthy Oct 16 '14 at 11:20
  • Yes I did...I restarted the complete server. The only thing I can think of, is that the SSLProtocoll Option is overwritten somewhere else... but i really don't know how i can look that up? – manderda Oct 16 '14 at 11:26
  • OK take a look at the answer I provided below. – TheLukeMcCarthy Oct 16 '14 at 11:30

1 Answers1

3

First off have you restarted the Apache service? You can restart Apache by using the following command 

sudo service httpd restart

If that doesn't work use a tool like grep to to search 'SSLProtocol' in all files in the /etc/httpd directory. The SSL Protocol could be set in a number of places and it could be picking up a setting from somewhere else. Try the following grep command to find all usages of SSLProtocol

sudo grep -rin "SSLProtocol" /etc/httpd/*

If you are running Apache 2.2 or older the syntax you have used won't work, you will need to specify each protocol you would like to support. You will need to change it to something like the following

The method which you are using is for new version of Apache and Openssl. It might be possible that new version of these doesn't installed on your system, verify current installed version. Since SSLv2-3 both are vulnerable of some attacks, so it would be better to use only TLS. So modify your SSLProtocol file as follows,

SSLProtocol TLSv1 TLSv1.1 TLSv1.2

I found the this example at https://unix.stackexchange.com/a/162479

Community
  • 1
  • 1
TheLukeMcCarthy
  • 2,253
  • 2
  • 25
  • 34
  • I dont have a /etc/httpd/ folder. Is that similar to my /etc/apache2/ folder? – manderda Oct 16 '14 at 11:31
  • Yes it will be, I'm running CentOS which is a Ret Hat base distro. If you're running a different distro the directory structure might be different – TheLukeMcCarthy Oct 16 '14 at 11:33
  • Thats my output:# grep -rin "SSLProtocol" /etc/apache2/* /etc/apache2/default-vhost-ssl.conf:43: SSLProtocol -SSLv2 -SSLv3 +TLSv1 /etc/apache2/default-vhost-ssl.conf.rpmnew:43: SSLProtocol all -SSLv2 -SSLv3 /etc/apache2/httpd.conf:214:SSLProtocol all -SSLv2 -SSLv3 /etc/apache2/ssl-global.conf:67: SSLProtocol all -SSLV2 -SSLV3 /etc/apache2/vhosts.d/vhost-ssl.conf:42: SSLProtocol all -SSLv2 -SSLv3 – manderda Oct 16 '14 at 11:36
  • What version of Apache are you running and what distro/version of Linux? – TheLukeMcCarthy Oct 16 '14 at 11:37
  • I am running Apache 2.2.22 on a openSuse 12.3 Linux distri – manderda Oct 16 '14 at 11:40
  • I have changed it like you mentioned, but still no change. I have looked up if i have another virtual host running. But i only have one. Thank you so far, i will follow the Thread you have posted in your answer. – manderda Oct 16 '14 at 12:13