How to Disable SSLv2 for Apache httpd
Solution 1:
Change SSLProtocol and SSLCipherSuite lines to,
SSLProtocol -ALL +SSLv3 +TLSv1 -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
Reload your apache for the configuration to take effect.
The SSLHonorCipherOrder On will try the ciphers in the order it is specified.
Above configuration passes the check on ssllabs.com except for TLS version. My CentOS 6 only supports TLS 1.0 because of OpenSSL 1.0.0. OpenSSL 1.0.1 supports TLS 1.1 and 1.2.
Do you have any load balancer or proxy in front of your apache?
Solution 2:
You might want to make sure that there isn't another SSLProtocol
or SSLCiperSuite
direcive anywhere in your Apache config that's overriding the one you just added.
If you can't find it, try adding those two to your SSL vhost rather than ssl.conf
. This will help ensure that the correct ones are the last ones applied.