Disable SSLv3 in Apache2 on a clean install of ubuntu 14.04.1 Server

I have a new install of ubuntu server version 14.04.1 I have apache2 with SSL enabled. I want to disable SSLv3

(I am aware this is a popular question but I have trawlled all other answers on multiple sites and I believe I have followed all the steps they suggest.)

When I use the command:

nmap --script ssl-enum-ciphers -p 443 MYDOMAIN.com

I can see two sets of ciphers. One SSLv3 and one TLSV1.0

I have the SSL module enabled and it's configuation file is /etc/apache2/mods-enabled/ssl.conf

I have altered it by changing the line

SSLProtocol all

to

SSLProtocol All -SSLv2 -SSLv3

From all the documentation and web tutorials this should disable SSLv3.

I restart apache with the command

sudo service apache2 restart

but there is no change. SSLv3 is still listed.

I have tried stopping the server and re-running the command to ensure I am not accidently checking the wrong server. As expected the result changes.

Can anyone suggest what mistake I am making.

Robert

My exact ubuntu version:

root@xxxx:/etc/apache2/mods-enabled# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 14.04.1 LTS
Release:    14.04
Codename:   trusty

My exact apache2 version:

root@xxxx:~# apache2 -v
Server version: Apache/2.4.7 (Ubuntu)
Server built:   Jul 22 2014 14:36:38

My exact openssl version:

root@xxxx:~# openssl version
OpenSSL 1.0.1f 6 Jan 2014

References:

http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslprotocol

Solution 1:

I found that I had other config files which overrode the option.

It was possible to find the files by running:

cd /etc/apache2
grep -r "SSLProto" .

Solution 2:

SSLv2 is no longer supported.

Therefore

SSLProtocol All -SSLv2 -SSLv3

won't work

SSLProtocol All -SSLv3

will

Solution 3:

in your apache configuration file use below settings:

SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

then restart your apache and check your site at

https://www.ssllabs.com/ssltest/analyze.html?d=www.yourfancysite.com

It gave me grade A (as of 2017 July), while with my previous setting I only had F :)

Credits to:

https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/