I am attempting to disable SSLv3 but it continues to be available.
Steps...
/etc/apache2/mods-enabled/ssl.confSSLProtocol All -SSLv2 -SSLv3I am testing SSL with openssl s_client -connect mydomain.com:443 -ssl3 (but with my domain name). I end up getting back the cert info plus this...
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : AES256-SHA
I am running Virtualmin on Ubuntu 12.04 with all latest updates. Any thoughts what I am still seeing SSLv3 when testing SSL?
Howdy,
Hmm, are you still seeing problems with that? What you described was all I had changed on my Ubuntu 12.04 system, and that seemed to work properly.
You may want to review that there isn't another "SSLProtocol" line somewhere in Apache that's overriding the one that you updated.
-Eric
Yes, still have the issue. Thats what I was wondering but not sure where else to look. I'll grep "SSLProtocol" and see what I can find.
Ok... this has been resolved for me. I actually had to make the change in this file.
/etc/apache2/apache2.conf
Hi guys, same issue here, CentOS 5.11 installed on production environment. although I have applied the change to the file conf.d/ssl.conf
SSLProtocol all -SSLv2 -SSLv3SSLv3 seems still there...
I already grep httpd folder to find some other occurrencies of "SSLProtocol" the only one is in conf.d/ssl.conf
Any idea?
Ok, found it, the
SSLProtocol all -SSLv2 -SSLv3must be added in every virtual host configured.Now SSLv3 is disabled.