Apache - Disable unsecure SSL versions

SSL version 2 hasn't been used as default protocol for years now, but is often found activated to support legacy-products. However, it can also be a considerable security risk.

Many websites are still using SSL version 3, but there was recently discovered a serious leak in this protocol. Thus, we strongly recommend both of them off. This can be done by changing the SSL configuration for Apache.

  1. Open ssl.conf (normally to be found in /etc/httpd; the exact location being dependend on the server OS), and modify the following lines: SSLProtocol ALL -SSLv2 -SSLv3 SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
  2. It may be that the SSLProtocol option is included multiple times in the file, adjust them all.
  3. Save the changes and restart Apache
  4. Test the modified settings with the openssl command below; (This should give an error message if it is successful): # openssl s_client -ssl2 -connect virtualhostnaam:443
  5. Test for SSLv3: # openssl s_client -ssl3 -connect virtualhostnaam:443
  6. Make sure the sites still work well with TLSv1: # openssl s_client -tls1 -connect virtualhostnaam:443

Use our SSLCheck to verify the allows SSL2 or SSLv3.


Our SSLCheck will examine your website's root and intermediate certificates for correctness and report any potential issues

point up