LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 09-12-2015, 09:33 PM   #1
gacanepa
Member
 
Registered: May 2012
Location: San Luis, Argentina
Distribution: Debian
Posts: 203

Rep: Reputation: 26
Arrow Can't disable SSLv3 in Apache + mod_nss


Hi everyone,

I am trying to implement TLS through mod_nss in Apache (RHEL 7). As per the documentation, I have installed mod_nss and removed mod_ssl.

I have followed the steps outlined in the documentation (see above link), especially making sure that the NSSProtocol directive reads as follows (according to the docs, this disables all SSL and TLS protocol versions except TLS version 1 and higher):

Code:
NSSProtocol TLSv1.0,TLSv1.1
Then I restarted Apache and tested whether SSLv3 is enabled:
Code:
openssl s_client -connect localhost:443 -ssl3
which returns (output has been truncated for brevity):

Code:
[root@box1 ~]# openssl s_client -connect localhost:443 -ssl3
CONNECTED(00000003)
139894684407712:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : SSLv3
Cipher    : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg   : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1442107224
Timeout   : 7200 (sec)
Verify return code: 0 (ok)
---
[root@box1 ~]#
As you can see, the handshake completes (as indicated by SSL handshake has read 5 bytes and written 7 bytes) so that makes me doubt that SSLv3 has been actually disabled.

I have spent countless hours searching for a solution but everything I've been able to found tells me how to disable SSLv3 through mod_ssl, not mod_nss.

Any ideas or clarifications will be more than welcome.
 
Old 09-14-2015, 01:13 PM   #2
thesnow
Member
 
Registered: Nov 2010
Location: Minneapolis, MN
Distribution: Ubuntu, Red Hat, Mint
Posts: 170

Rep: Reputation: 56
That's the message you'll see when it IS disabled, otherwise you'll get certificate and non-empty SSL session information. If you pass in ssl2 instead of ssl3 it will also fail, but probably with a slightly different message.
 
1 members found this post helpful.
Old 09-14-2015, 01:20 PM   #3
gacanepa
Member
 
Registered: May 2012
Location: San Luis, Argentina
Distribution: Debian
Posts: 203

Original Poster
Rep: Reputation: 26
Quote:
Originally Posted by thesnow View Post
That's the message you'll see when it IS disabled, otherwise you'll get certificate and non-empty SSL session information. If you pass in ssl2 instead of ssl3 it will also fail, but probably with a slightly different message.
Thank you! I also got the same answer in the Unix & Linux Stack Exchange site. I am adding it here as well for my own reference.
 
  


Reply

Tags
apache, rhel7, tls


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
SSLv3 and Openpanel cov Linux - Networking 5 03-26-2015 03:02 AM
After disabling SSLv3 Apache Jmeter not able to connect to Apache httpd Iyyappan Linux - Server 3 01-19-2015 10:30 AM
Disable SSLv3 on Redhat Linux Reverse Proxy box kumartnj Linux - Security 1 11-25-2014 10:36 AM
[SOLVED] How to disable Apache Multiviews in apache satyam.sumit Linux - Newbie 1 08-26-2014 10:05 AM


All times are GMT -5. The time now is 03:59 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration