Disable SSLv3 Not taking affect (POODLE)

I am attempting to disable SSLv3 but it continues to be available.

Steps…

  1. Edit /etc/apache2/mods-enabled/ssl.conf
  2. Update SSLProtocol to be SSLProtocol All -SSLv2 -SSLv3
  3. Restart apache

I am testing SSL with openssl s_client -connect mydomain.com:443 -ssl3 (but with my domain name). I end up getting back the cert info plus this…

New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : AES256-SHA

I am running Virtualmin on Ubuntu 12.04 with all latest updates. Any thoughts what I am still seeing SSLv3 when testing SSL?

Howdy,

Hmm, are you still seeing problems with that? What you described was all I had changed on my Ubuntu 12.04 system, and that seemed to work properly.

You may want to review that there isn’t another “SSLProtocol” line somewhere in Apache that’s overriding the one that you updated.

-Eric

Yes, still have the issue. Thats what I was wondering but not sure where else to look. I’ll grep “SSLProtocol” and see what I can find.

Ok… this has been resolved for me. I actually had to make the change in this file.

/etc/apache2/apache2.conf

Hi guys,
same issue here, CentOS 5.11 installed on production environment.
although I have applied the change to the file conf.d/ssl.conf

SSLProtocol all -SSLv2 -SSLv3

SSLv3 seems still there…

I already grep httpd folder to find some other occurrencies of “SSLProtocol” the only one is in conf.d/ssl.conf

Any idea?

Ok, found it, the
SSLProtocol all -SSLv2 -SSLv3
must be added in every virtual host configured.

Now SSLv3 is disabled.