Disable SSL v2 in Apache

cooljai · 10-14-2009, 08:57 AM

Hi,

I want to disable SSL v2 in apache on my CentOS 5.2 box (httpd 2.2.3), for that, I've added following lines in my /etc/httpd/conf.d/ssl.conf:

Code:

SSLProtocol -All +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

and restarted httpd.

but it still not disabled, I'm connecting to SSL v2 and getting error for SSL v3:

Code:

# openssl s_client -connect localhost:443 -ssl2
CONNECTED(00000003)

# openssl s_client -connect localhost:443 -ssl3
CONNECTED(00000003)
8021:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:284:

Any help will be appreciated.

anomie · 10-14-2009, 03:57 PM

I think you want:

Code:

SSLProtocol All -SSLv2
SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW

cooljai · 10-15-2009, 02:00 AM

Hi anomie, thanks for reply.

Just tried this but no avail. able to connect SSLv2 and getting error while checking for SSLv3.

Any other thoughts? Though its intrinsic but how can I confirm that apache reading /etc/httpd/conf.d/ssl.conf? Also checked error log, nothing is there.

Thanks,

anomie · 10-15-2009, 12:31 PM

FWIW, the directives I posted I'm using successfully with Apache 2.0 + mod_ssl (on RHEL4).

Code:

$ openssl s_client -connect my.host:443 -quiet -ssl2
8641:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:

Check your main httpd.conf to confirm there is an Include that is pulling in conf.d/ssl.conf or conf.d/*.conf. One quick way to test whether ssl.conf is being pulled in or not is to add a bogus directive to it, e.g.:

Code:

BadDirective foo

And then do a syntax check:

Code:

# apachectl -t
Syntax error on line 2 of /etc/httpd/conf.d/ssl.conf:
Invalid command 'BadDirective', perhaps misspelled or defined by a module not included in the server configuration