Disable SSLv3 in Apache2 on a clean install of ubuntu 14.04.1 Server
I have a new install of ubuntu server version 14.04.1 I have apache2 with SSL enabled. I want to disable SSLv3
(I am aware this is a popular question but I have trawlled all other answers on multiple sites and I believe I have followed all the steps they suggest.)
When I use the command:
nmap --script ssl-enum-ciphers -p 443 MYDOMAIN.com
I can see two sets of ciphers. One SSLv3 and one TLSV1.0
I have the SSL module enabled and it's configuation file is /etc/apache2/mods-enabled/ssl.conf
I have altered it by changing the line
SSLProtocol all
to
SSLProtocol All -SSLv2 -SSLv3
From all the documentation and web tutorials this should disable SSLv3.
I restart apache with the command
sudo service apache2 restart
but there is no change. SSLv3 is still listed.
I have tried stopping the server and re-running the command to ensure I am not accidently checking the wrong server. As expected the result changes.
Can anyone suggest what mistake I am making.
Robert
My exact ubuntu version:
root@xxxx:/etc/apache2/mods-enabled# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.1 LTS
Release: 14.04
Codename: trusty
My exact apache2 version:
root@xxxx:~# apache2 -v
Server version: Apache/2.4.7 (Ubuntu)
Server built: Jul 22 2014 14:36:38
My exact openssl version:
root@xxxx:~# openssl version
OpenSSL 1.0.1f 6 Jan 2014
References:
http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslprotocol
Solution 1:
I found that I had other config files which overrode the option.
It was possible to find the files by running:
cd /etc/apache2
grep -r "SSLProto" .
Solution 2:
SSLv2 is no longer supported.
Therefore
SSLProtocol All -SSLv2 -SSLv3
won't work
SSLProtocol All -SSLv3
will
Solution 3:
in your apache configuration file use below settings:
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
then restart your apache and check your site at
https://www.ssllabs.com/ssltest/analyze.html?d=www.yourfancysite.com
It gave me grade A (as of 2017 July), while with my previous setting I only had F :)
Credits to:
https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/