How to Disable SSLv2 for Apache httpd

pci-dss apache-2.2 ssl centos mod-ssl

Solution 1:

Change SSLProtocol and SSLCipherSuite lines to,

SSLProtocol -ALL +SSLv3 +TLSv1 -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH

Reload your apache for the configuration to take effect.

The SSLHonorCipherOrder On will try the ciphers in the order it is specified.

Above configuration passes the check on ssllabs.com except for TLS version. My CentOS 6 only supports TLS 1.0 because of OpenSSL 1.0.0. OpenSSL 1.0.1 supports TLS 1.1 and 1.2.

Do you have any load balancer or proxy in front of your apache?

Solution 2:

You might want to make sure that there isn't another SSLProtocol or SSLCiperSuite direcive anywhere in your Apache config that's overriding the one you just added.

If you can't find it, try adding those two to your SSL vhost rather than ssl.conf. This will help ensure that the correct ones are the last ones applied.

Related

sudo rejects password that is correct
Authenticate Linux sshd with TACACS+ (Cisco ACS)
Nginx duplicate default server error
How to use new-smbshare with Powershell 3.0 on Windows 7?
How can I generate a command for start-stop-daemon that will kill the process if it doesn't term during a timeout period?
NAT: If two hosts initiate a connection to the same IP:PORT, with the same source PORT, how does the router handle it?
New event log nowhere to be found after creating in PowerShell
IMAP standard folder names - "Junk" or "Spam"
Tridion 2011 SP1 OData Web Service
How to use 'disk from remote desktop connection' on Windows Server Core?
Find locked out accounts in Active Directory (a way that actually works!)
mdadm --zero-superblock on disks with other partitions on them