logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Disable SSLV3 in apache 2.2
Author
mmfarooq@live.com



Joined: 01 Jan 2016
Posts: 18
Location: lahore
PostPosted: Thu 11 Feb '16 20:03    Post subject: Disable SSLV3 in apache 2.2 Reply with quote
Hi there,
with following config I am unable to disable the sslv3 in apahce 2.2.29. Please help. Thanks

SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW:!SSLv3

Regards,
-Muddassir
Back to top
jmcl



Joined: 11 Feb 2016
Posts: 10
PostPosted: Thu 11 Feb '16 23:21    Post subject: Re: Disable SSLV3 in apache 2.2 Reply with quote
mmfarooq@live.com wrote:
Hi there,
with following config I am unable to disable the sslv3 in apahce 2.2.29.


Apache 2.2.29 uses OpenSSL 1.0.1j. The OpenSSL changelogs do list the following:

Quote:
Fix issue where no-ssl3 configuration sets method to NULL. When openssl is built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl method would be set to NULL which could later result in a NULL pointer dereference.


quote source: http://www.openssl.org/news/cl101.txt

Maybe it's unrelated but I would try and test disabling sslv3 on a more recent version (e.g. 2.2.31).
Back to top
mmfarooq@live.com



Joined: 01 Jan 2016
Posts: 18
Location: lahore
PostPosted: Fri 12 Feb '16 7:59    Post subject: Reply with quote
What should i do for this fix.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
PostPosted: Fri 12 Feb '16 10:05    Post subject: Reply with quote
use

Code:

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS


Don't forget to restart apache.
Back to top
mmfarooq@live.com



Joined: 01 Jan 2016
Posts: 18
Location: lahore
PostPosted: Fri 12 Feb '16 11:35    Post subject: Reply with quote
again its same.. not fixing it.
Back to top
jmcl



Joined: 11 Feb 2016
Posts: 10
PostPosted: Fri 12 Feb '16 12:55    Post subject: Reply with quote
mmfarooq@live.com wrote:
again its same.. not fixing it.


Can you please go to your Apache bin folder and run the command:

httpd.exe -v

The answer should be

Server version: Apache/2.2.31 (Win32)
Server built: Dec 3 2015 21:36:59

If it's not version 2.2.31, please upgrade your server to the latest version and try again.
Back to top
mmfarooq@live.com



Joined: 01 Jan 2016
Posts: 18
Location: lahore
PostPosted: Fri 12 Feb '16 13:17    Post subject: Reply with quote
I am on linux...here is output

Server version: Apache/2.2.29 (Unix)
Server built: Mar 12 2015 03:50:17
Back to top
mmfarooq@live.com



Joined: 01 Jan 2016
Posts: 18
Location: lahore
PostPosted: Fri 12 Feb '16 13:48    Post subject: Reply with quote
on other machine have the follwoing version.

Server version: Apache/2.2.31 (Unix)
Server built: Aug 13 2015 23:45:37

facing same issue here too
Back to top
jmcl



Joined: 11 Feb 2016
Posts: 10
PostPosted: Fri 12 Feb '16 13:51    Post subject: Reply with quote
mmfarooq@live.com wrote:
I am on linux...here is output

Server version: Apache/2.2.29 (Unix)
Server built: Mar 12 2015 03:50:17


First, try to upgrade your Apache to 2.2.31.

Also, post your linux system and version.

A few more pointers that can help you:

1. If you are using virtual hosts make sure that "SSLProtocol all -SSLv2 -SSLv3" is listed inside all the virtual host.

2. On Ubuntu look also for "SSLCipherSuite" in /etc/apache2/mods-available/ssl.conf
Edit the above refered ssl.conf and make sure you change

from: SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
to: SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SSLv3:!SSLv2:!TLSv1

But lets try something different. When you say "unable to disable the sslv3", how are you testing that sslv3 is not disabled?

Last edited by jmcl on Fri 12 Feb '16 14:00; edited 1 time in total
Back to top
mmfarooq@live.com



Joined: 01 Jan 2016
Posts: 18
Location: lahore
PostPosted: Fri 12 Feb '16 13:57    Post subject: Reply with quote
on Server version: Apache/2.2.31 (Unix)..

I am testing it on ssllab.com and it says sslv3 enables.
2ndly "openssl s_client -connect localhost:443 -ssl3" also returns ssl cert not the failure.
Back to top
jmcl



Joined: 11 Feb 2016
Posts: 10
PostPosted: Fri 12 Feb '16 14:03    Post subject: Reply with quote
mmfarooq@live.com wrote:
on Server version: Apache/2.2.31 (Unix)..

I am testing it on ssllab.com and it says sslv3 enables.
2ndly "openssl s_client -connect localhost:443 -ssl3" also returns ssl cert not the failure.


You are probably missing a Virtual Host or an included ssl configuration file.
I added more info to my last post. See if it helps.
Back to top
mmfarooq@live.com



Joined: 01 Jan 2016
Posts: 18
Location: lahore
PostPosted: Fri 12 Feb '16 15:38    Post subject: Reply with quote
can we update weak Diffie-Hellman (DH) key exchange parameters in apche 2.2.29 ? it yess, then how?
Back to top
mmfarooq@live.com



Joined: 01 Jan 2016
Posts: 18
Location: lahore
PostPosted: Fri 12 Feb '16 15:44    Post subject: Reply with quote
yes jmcl. we were gorgetting an ssl file.. its fixed now.. i updated configs in a vhost configs.

please tell me about the weak Diffie-Hellman (DH) key exchange parameters fix on apache 2.2.29. THanks a ton man.. Smile
Back to top
jmcl



Joined: 11 Feb 2016
Posts: 10
PostPosted: Fri 12 Feb '16 18:57    Post subject: Reply with quote
mmfarooq@live.com wrote:
yes jmcl. we were gorgetting an ssl file.. its fixed now.. i updated configs in a vhost configs.

please tell me about the weak Diffie-Hellman (DH) key exchange parameters fix on apache 2.2.29. THanks a ton man.. Smile


Update your OpenSSL to the latest compatible version.
Then read this:

https://blog.cloudflare.com/logjam-the-latest-tls-vulnerability-explained/

Also, go to

https://weakdh.org/sysadmin.html

and configure and test your Apache.

The suggest configuration is:

Code:
SSLProtocol             all -SSLv2 -SSLv3

SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

SSLHonorCipherOrder     on
Back to top
mmfarooq@live.com



Joined: 01 Jan 2016
Posts: 18
Location: lahore
PostPosted: Fri 12 Feb '16 19:36    Post subject: Reply with quote
it didnt work for me... ;(
Back to top
mmfarooq@live.com



Joined: 01 Jan 2016
Posts: 18
Location: lahore
PostPosted: Fri 12 Feb '16 19:49    Post subject: Reply with quote
do we need to add this patch?

http://bugs.httpd.apache.narkive.com/6V0KLOkg/bug-57984-new-patch-to-add-user-specified-diffie-hellman-parameters-to-apache-2-2-29#selection:1.2053.24
Back to top


Reply to topic   Topic: Disable SSLV3 in apache 2.2 View previous topic :: View next topic
Post new topic   Forum Index -> Apache