Java – Disabling SSLv3 but still supporting SSLv2Hello in Apache

apache-2.2javapoodle

Many SSL clients, notably JDK 6, use the SSLv2Hello protocol to handshake with the server.
Using this protocol does not mean you are using SSL 2.0 or 3.0 for that matter; it is merely
a handshake to determine which protocol to use. [https://www.rfc-editor.org/rfc/rfc5246#appendix-E.2]

However, in Apache, if you disable SSLv3 support, this apparently removes support for the
SSLv2Hello protocol. Apache Tomcat has explicit support for SSLv2Hello; that is, you can
enable that, but not enable SSLv3.

Is there any way to do this in Apache?

[Update]

This is my protocol config:

  SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2 -SSLv3

Best Answer

Apparently mod_ssl has changed in the last year or so (I haven't found the exact commit to the source, but found the "problem"). The source now does this:

If SSLProtocol only includes only one Protocol:
    Handshake = That Protocol's Handshake Only
Else
    Handshake = SSLv2 Handshake

There's no override for this setting. The only thing you could do is edit the source, recompile your own version. I've created a diff to force SSLv2 Handshake compatibility if you want to compile your own.

Related Topic