LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Disable SSL v2 in Apache (https://www.linuxquestions.org/questions/linux-server-73/disable-ssl-v2-in-apache-761821/)

cooljai 10-14-2009 07:57 AM
Disable SSL v2 in Apache
 
Hi,

I want to disable SSL v2 in apache on my CentOS 5.2 box (httpd 2.2.3), for that, I've added following lines in my /etc/httpd/conf.d/ssl.conf:
Code:
SSLProtocol -All +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
and restarted httpd.

but it still not disabled, I'm connecting to SSL v2 and getting error for SSL v3:

Code:
# openssl s_client -connect localhost:443 -ssl2
CONNECTED(00000003)

# openssl s_client -connect localhost:443 -ssl3
CONNECTED(00000003)
8021:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:284:
Any help will be appreciated.

anomie 10-14-2009 02:57 PM
I think you want:
Code:
SSLProtocol All -SSLv2
SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW

cooljai 10-15-2009 01:00 AM
Hi anomie, thanks for reply.

Just tried this but no avail. able to connect SSLv2 and getting error while checking for SSLv3.

Any other thoughts? Though its intrinsic but how can I confirm that apache reading /etc/httpd/conf.d/ssl.conf? Also checked error log, nothing is there.

Thanks,

anomie 10-15-2009 11:31 AM
FWIW, the directives I posted I'm using successfully with Apache 2.0 + mod_ssl (on RHEL4).

Code:
$ openssl s_client -connect my.host:443 -quiet -ssl2
8641:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:
Check your main httpd.conf to confirm there is an Include that is pulling in conf.d/ssl.conf or conf.d/*.conf. One quick way to test whether ssl.conf is being pulled in or not is to add a bogus directive to it, e.g.:

Code:
BadDirective foo
And then do a syntax check:

Code:
# apachectl -t
Syntax error on line 2 of /etc/httpd/conf.d/ssl.conf:
Invalid command 'BadDirective', perhaps misspelled or defined by a module not included in the server configuration


All times are GMT -5. The time now is 04:12 AM.