I am using Virtualmon Pro 4.11, CentOS Linux 6.5 and Apache version2.2.15.
I am trying to adapt to the new "POODLE" SSL issue. So I am trying to disable SSL and use TLS. I notice that in httpd.conf I have these two lines:
SSLProtocol ALL -SSLv2
SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL
That suggests to me that globally, SSLv2 is disabled. Maybe I just need to do this?
SSLProtocol ALL -SSLv2 -SSLv3
and
SSLCipherSuite HIGH:!SSLv2:!SSLv3:!ADH:!aNULL:!eNULL:!NULL
However I have virtual hosts with their own SSL certificates. If I go to 'services >> configure web site for SSL >> SSL options' I see all these protocols enabled:
SSL protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2
But why is SSLv2 enabled when it seems to be globally disabled?
Now if I deselect SSLv2 and SSLv3 I get a problem:
apachectl configtest :
Syntax error on line 4971 of /etc/httpd/conf/httpd.conf:
SSLProtocol: Illegal protocol 'TLSv1.1'
This relates to this in the virtualhost section:
SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
So there seems to be a bit of a bug here.
Question: What is the best way to disable SSL in favour of TLS for the control panel, for web sites, for Dovecot & for Postfix?
Howdy,
Yeah, it should be enough to just add this:
SSLProtocol ALL -SSLv2 -SSLv3And then restart Apache.
You can use a command such as this to test if your server is communicating via SSLv3 or not:
openssl s_client -connect domain_with_ssl_cert.tld:443 -ssl3It shouldn't work with that "-ss3" flag at the end. If you get rid of that, you should see it work, and send along the SSL certificates.
-Eric
Thanks. Yes, just that one change does it (provided there aren't additional declarations in virtualhost sections).
However that didn't seem to solve the issue with Webmin logins. I looked in Webmin SSL configuration and I saw the option "Allowed SSL ciphers". I had this:
ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
So I've added !SSLv3 and that seems OK too now.
For Postfix I believe there is no issue unless the server is forcing SSL. In the case of Dovecot, I don't think I have SSL enabled (though perhaps I should!).
I am new to this, so i tried to modify the ssl.conf / httpd.conf to include the restrictions about ssl-v3 but when i edit and save the files, i can't restart apache. I open and edit the files with gedit , is it the issue?
Even if i undo my changes and save the files, the errors are still showing... then i need to recover my virtual server in order to start apache again... :(
Am i missing something ? I am not really good at linux....
Can we change those files safely without any issues with another kind of editor?
I am on centos 7 , virtualmin/webmin gpl. Any help will be appreciated.
Howdy,
What errors do you see in the Apache error log when that occurs? The error log is in /var/log/httpd/error_log.
-Eric
Hi!
I found on google a way to do it 15 mins ago...
I edited the file with : sudo nano And did not have any troubles to restart... I think that the gedit ( editor ) was the problem by maybe including non visible typos to the file...
So i changed the ssl.conf , do i have other files to change in order to get rid of this sslv3 poddle??
I saw that the ssl settings were actually set in webmin to exlude the sslv3 and sslv2 ( checked )