How to disable SSLv3 in Apache?

I had the same problem... You have to include SSLProtocol all -SSLv2 -SSLv3 within every VirtualHost stanza in httpd.conf

The VirtualHost stanzas are generally towards the end of the httpd.conf file. So for example:

...
...
<VirtualHost your.website.example.com:443>
    DocumentRoot /var/www/directory
    ServerName your.website.example.com

    ...
    SSLEngine on
    ...
    SSLProtocol all -SSLv2 -SSLv3
    ...
</VirtualHost>

Also check ssl.conf or httpd-ssl.conf or similar because they may be set there, not necessarily in httpd.conf

I had the same problem on Ubuntu 14.04. After reading this, I edited the section "SSLProtocol" in /etc/apache2/mods-available/ssl.conf.

from: SSLProtocol all
to: SSLProtocol all -SSLv2 -SSLv3 -TLSV1

But it didn't work. So I edited the following section too "SSLCipherSuite" in /etc/apache2/mods-available/ssl.conf.

from: SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
to: SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SSLv3:!SSLv2:!TLSv1

And now it now works for me.

By the way, the Cipher Suites are not affected by POODLE, only the protocol -- but most browsers are okay with a disabled SSLv3 Cipher Suite.

Don't use this for a Mailserver! Or you will (maybe) face the problem of not being able to fetch your Mails on some devices.

For Ubuntu 10.04

To disable SSLv3 on all active vhosts you need the option in

/etc/apache2/mods-available/ssl.conf :

SSLProtocol all -SSLv2 -SSLv3

How to disable SSLv3 in Apache?

Tags:

Ssl

Apache Httpd

Related

Recent Posts