Apache - Disable unsecure SSL versions
SSL version 2 hasn't been used as default protocol for years now, but is often found activated to support legacy-products. However, it can also be a considerable security risk.
Many websites are still using SSL version 3, but there was recently discovered a serious leak in this protocol. Thus, we strongly recommend both of them off. This can be done by changing the SSL configuration for Apache.
- Open ssl.conf (normally to be found in /etc/httpd; the exact location being dependend on the server OS), and modify the following lines:
SSLProtocol ALL -SSLv2 -SSLv3
- It may be that the SSLProtocol option is included multiple times in the file, adjust them all.
- Save the changes and restart Apache
- Test the modified settings with the openssl command below; (This should give an error message if it is successful):
# openssl s_client -ssl2 -connect virtualhostnaam:443
- Test for SSLv3:
# openssl s_client -ssl3 -connect virtualhostnaam:443
- Make sure the sites still work well with TLSv1:
# openssl s_client -tls1 -connect virtualhostnaam:443
Use our SSLCheck to verify the allows SSL2 or SSLv3.