LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   Disable SSL v2 in Apache (http://www.linuxquestions.org/questions/linux-server-73/disable-ssl-v2-in-apache-761821/)

cooljai 10-14-2009 07:57 AM

Disable SSL v2 in Apache
 
Hi,

I want to disable SSL v2 in apache on my CentOS 5.2 box (httpd 2.2.3), for that, I've added following lines in my /etc/httpd/conf.d/ssl.conf:
Code:

SSLProtocol -All +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

and restarted httpd.

but it still not disabled, I'm connecting to SSL v2 and getting error for SSL v3:

Code:

# openssl s_client -connect localhost:443 -ssl2
CONNECTED(00000003)

# openssl s_client -connect localhost:443 -ssl3
CONNECTED(00000003)
8021:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:284:

Any help will be appreciated.

anomie 10-14-2009 02:57 PM

I think you want:
Code:

SSLProtocol All -SSLv2
SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW


cooljai 10-15-2009 01:00 AM

Hi anomie, thanks for reply.

Just tried this but no avail. able to connect SSLv2 and getting error while checking for SSLv3.

Any other thoughts? Though its intrinsic but how can I confirm that apache reading /etc/httpd/conf.d/ssl.conf? Also checked error log, nothing is there.

Thanks,

anomie 10-15-2009 11:31 AM

FWIW, the directives I posted I'm using successfully with Apache 2.0 + mod_ssl (on RHEL4).

Code:

$ openssl s_client -connect my.host:443 -quiet -ssl2
8641:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:

Check your main httpd.conf to confirm there is an Include that is pulling in conf.d/ssl.conf or conf.d/*.conf. One quick way to test whether ssl.conf is being pulled in or not is to add a bogus directive to it, e.g.:

Code:

BadDirective foo
And then do a syntax check:

Code:

# apachectl -t
Syntax error on line 2 of /etc/httpd/conf.d/ssl.conf:
Invalid command 'BadDirective', perhaps misspelled or defined by a module not included in the server configuration



All times are GMT -5. The time now is 04:39 AM.