Completely getting rid of SSLv3 on Apache

apache-2.2 tls nmap

Our security team is asking that we completely disable SSLv3 on some of our servers running Apache. I've used the SSLProtocol entry in the ssl.conf file (like SSLProtocol ALL -SSLv2 -SSLv3) and various SSLCipherSuite entries to try to disable this completely, but to no avail. I still get the following as an example output from nmap

Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-01 16:49 Mountain Standard Time
Nmap scan report for ...
Host is up (0.0045s latency).
PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   SSLv3: No supported ciphers found    <----
|   TLSv1.0:
|     ciphers:
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     compressors:
|       NULL
|_  least strength: strong

On a server running Tomcat for instance, we're able to get no trace of SSLv3, as in this example

Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-01 16:54 Mountain Standard Time
Nmap scan report for...
Host is up (0.0022s latency).
PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     compressors:
|       NULL
|   TLSv1.1:
|     ciphers:
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     compressors:
|       NULL
|   TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     compressors:
|       NULL
|_  least strength: strong

Has anyone been able to disable SSLv3 completely in Apache? Is there a way to get SSLv3 completely disabled in Apache? Thank you for the time


You have SSLv3 disabled, but nmap is being a little sloppy in it's reporting. I just tested against my server to see what was happening.

With nmap, I got the same message implying SSLv3 was there but had no ciphers. But if you try the following command line, and you see "SSL alert number 40" (scroll to the right!), then SSLv3 is fully disabled:

$ openssl s_client -connect www.example.com:443 -ssl3
CONNECTED(00000003)
140159193097888:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1262:SSL alert number 40
140159193097888:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1425297962
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

Even though you get the same ambiguous indication "New (NONE), Cipher is (NONE)", notice that the SSL handshake was 7 bytes. If you run a packet capture, you will see that the connection is simply this:

Client: Client Hello (SSLv3)

Server: Alert (Level: Fatal, Description: Handshake Failure)

That's as disabled as you can get.

I suspect that nmap reported Tomcat differently because Tomcat came back with a richer set of protocols. Perhaps Tomcat offered TLS1 when SSL3 was proposed instead of rejecting SSL3 out of hand. I'm trying to round up a Tomcat-based host to test against to see what's happening under the hood.

Related

Checking puppet-generated exim config before deploying
Grouping nodes in puppet
Can I use TLSv1.0 for one client IP, TLS v1.2 for everyone else
Where do md array definitions come from?
Multiple wildcard certificates for same common name on different servers
Why is the cron ENV different from the user's ENV?
Google Chrome says my SSL uses outdated security settings but other site tests disagree [closed]
Server2k8: Prevent membership in a group based on membership in another group
Squid3 'The proxy server is refusing connections'
Enforce 15-character minimum password length on Windows
How configure environment variable with AcceptEnv
TCP sequence number randomization