Disable SSLv3 in Apache HTTP Server

Background:

We had a requirement to disable all version of ssl for encryption and use TLS. We used https://www.ssllabs.com to test our http server

We found that SSL 3 had a vulnerability. By removing SSL from the list of supported protocols, BEAST attach and POODLE were mitigated and were able to achieve an over all rating of B for our website
ssllabsreport

The following was done in the ssl.conf file of apache server

SSLProtocol all -SSLv2 -SSLv3

SSLHonorCipherOrder on

SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"

With reference to the SSLCipherSuite your OpenSSL supports all those ciphers but Apache 2.2.x doesn’t support the ECDHE/ECDSA ones.

Reference:

https://community.qualys.com/thread/12684
https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls
https://community.qualys.com/blogs/securitylabs/2013/09/10/is-beast-still-a-threat

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.