I am using Virtualmon Pro 4.11, CentOS Linux 6.5 and Apache version2.2.15.
I am trying to adapt to the new “POODLE” SSL issue. So I am trying to disable SSL and use TLS. I notice that in httpd.conf I have these two lines:
SSLProtocol ALL -SSLv2
That suggests to me that globally, SSLv2 is disabled. Maybe I just need to do this?
SSLProtocol ALL -SSLv2 -SSLv3
However I have virtual hosts with their own SSL certificates. If I go to ‘services >> configure web site for SSL >> SSL options’ I see all these protocols enabled:
SSL protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2
But why is SSLv2 enabled when it seems to be globally disabled?
Now if I deselect SSLv2 and SSLv3 I get a problem:
apachectl configtest :
Syntax error on line 4971 of /etc/httpd/conf/httpd.conf:
SSLProtocol: Illegal protocol ‘TLSv1.1’
This relates to this in the virtualhost section:
SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
So there seems to be a bit of a bug here.
Question: What is the best way to disable SSL in favour of TLS for the control panel, for web sites, for Dovecot & for Postfix?
Yeah, it should be enough to just add this:
SSLProtocol ALL -SSLv2 -SSLv3
And then restart Apache.
You can use a command such as this to test if your server is communicating via SSLv3 or not:
openssl s_client -connect domain_with_ssl_cert.tld:443 -ssl3
It shouldn’t work with that “-ss3” flag at the end. If you get rid of that, you should see it work, and send along the SSL certificates.
Thanks. Yes, just that one change does it (provided there aren’t additional declarations in virtualhost sections).
However that didn’t seem to solve the issue with Webmin logins. I looked in Webmin SSL configuration and I saw the option “Allowed SSL ciphers”. I had this:
So I’ve added !SSLv3 and that seems OK too now.
For Postfix I believe there is no issue unless the server is forcing SSL. In the case of Dovecot, I don’t think I have SSL enabled (though perhaps I should!).
I am new to this, so i tried to modify the ssl.conf / httpd.conf to include the restrictions about ssl-v3 but when i edit and save the files, i can’t restart apache. I open and edit the files with gedit , is it the issue?
Even if i undo my changes and save the files, the errors are still showing… then i need to recover my virtual server in order to start apache again…
Am i missing something ? I am not really good at linux…
Can we change those files safely without any issues with another kind of editor?
I am on centos 7 , virtualmin/webmin gpl. Any help will be appreciated.
What errors do you see in the Apache error log when that occurs? The error log is in /var/log/httpd/error_log.
I found on google a way to do it 15 mins ago…
I edited the file with : sudo nano And did not have any troubles to restart… I think that the gedit ( editor ) was the problem by maybe including non visible typos to the file…
So i changed the ssl.conf , do i have other files to change in order to get rid of this sslv3 poddle??
I saw that the ssl settings were actually set in webmin to exlude the sslv3 and sslv2 ( checked )