Disabling SSLv3 in Apache#
Yesterday I wrote a post about disabling SSLv3 in Postfix and today we take a close look at Apache. While taking a closer look at the current installation of Apache and the version shipped with Debian 8 that was released a few days back it showed that the Apache project or Debian has taken the responsibility to completely disable SSLv2. Hopefully, SSLv3 will get the same treatment soon, as broken security is worse than no security due to a false sense of security.
After a clean install on Debian Wheezy /etc/apache2/mods-available/ssl.conf contains the following entries:
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLProtocol all -SSLv2
After a clean install on Debian Jessie /etc/apache2/mods-available/ssl.conf contains the following entries:
SSLCipherSuite HIGH:!aNULL
SSLProtocol all -SSLv3
First, we see that the cipher suite is different between both, and for now, I’ll ignore them. Those will be touched on in a later posting as RC4 also needs to be phased out. For Debian Jessie installations everything is well on the protocol level, but for Wheezy the option -SSLv3 is missing and since TLS is compiled into Apache and OpenSSL on Debian Wheezy it is pretty safe to turn SSLv3 off unless you want to keep servicing Internet Explorer 6.
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLProtocol all -SSLv3 -SSLv2
As with Postfix also for Apache a hard restart to enforce this on all connections from that point forward to make sure no one keeps an old connection with SSLv3.
$ sudo systemctl restart apache2.service
Keep in mind that these settings can be set also on a virtual host level within Apache and will override any global setting. So it may be wise to also verify other configuration files for Apache and/or run sslscan against your websites to verify the SSL protocol offered.