Ssl – Disabling SSLv3 and SSLv2 Protocol On My Ubuntu 14.04 Server

poodlessl

I recently installed a SSL Certificate on my server. Then I tried out this tool to test my newly installed SSL certificate on my server and see if there is no problem.

It turned out that it has a problem with SSL 3 protocol, saying that it is insecure because of vulnerability of from POODLE attack.

The page suggests to disable SSL 3 to mitigate it.

So I searched the Internet on how to disable *SSLv3 and SSLv2** on Apache 2.4 server.

I've found several tutorials that says… to disable SSLv3 and SSLv2 on my Ubuntu 14.04 server with Apache 2.4, I have to edit all instances of SSLProtocol all on all files inside /etc/apache2, and change it to SSLProtocol all -SSLv2 -SSLv3.

I've already done the following, but still SSL Lab's SSL Server Test Tool reports the same issue.

Already added this to all of my vhost and all config file that has SSLProtocol

SSLProtocol all -SSLv2 -SSLv3

About My Server Setup

On my server, I've setup Pound Proxy with Varnish Cache.

I did this because Varnish is not able to do it's thing using HTTPS, and so I setup Pound and use Varnish as it's backend.

The setup is working fine, Varnish is caching on HTTPS.

My SSL certificate was installed properly, I have confirmed that using online tools from Digicert and SSL Labs.

SSL Pem files used with Pound contains info extracted from .key, .crt and CA.pem.

My Server Details

Below are some details about my server. It host a single WordPress instance on it, it's in production.

Ports

  • Apache – on port 8080

  • Apache ports.conf and sites-available/myvhost.conf

    <IfModule mod_ssl.c>
    Listen 9443

  • Apache

  • Varnish Backend – port 8080
  • Varnish .vcl – DAEMON_OPTS="-a :80"
  • Pound listens on port 443, configured using ListenHTTPS

The server is provisioned using Tuxlite, which I've downloaded from the following page:

https://github.com/Mins/TuxLite

LSB Release output:

Distributor ID: Ubuntu
Description:    Ubuntu 14.04.2 LTS
Release:    14.04
Codename:   trusty

Apache output:

Server version: Apache/2.4.7 (Ubuntu)
Server built:   Mar 10 2015 13:05:59
Server's Module Magic Number: 20120211:27
Server loaded:  APR 1.5.1-dev, APR-UTIL 1.5.3
Compiled using: APR 1.5.1-dev, APR-UTIL 1.5.3
Architecture:   64-bit
Server MPM:     event
  threaded:     yes (fixed thread count)
    forked:     yes (variable process count)
Server compiled with....
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/etc/apache2"
 -D SUEXEC_BIN="/usr/lib/apache2/suexec"
 -D DEFAULT_PIDLOG="/var/run/apache2.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="mime.types"
 -D SERVER_CONFIG_FILE="apache2.conf"

Pound output:

starting...
Version 2.6
  Configuration switches:
    --enable-cert1l
Exiting...

Varnish version:

varnishd (varnish-4.0.3 revision b8c4a34)
Copyright (c) 2006 Verdens Gang AS
Copyright (c) 2006-2014 Varnish Software AS

How could I disable SSLv2 and SSLv3 Protocol on my server?

UPDATE

I've inserted the following entries in my /etc/pound/pound.cfg file:

ListenHTTPS
    ...
    Cert "---"
    Ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:-RC4:EECDH+aRSA+RC4:EECDH+RC4:EDH+aRSA+RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:RC4+SHA"
    ....

And now I got a C Grade in SSL Labs.

SSL 3 Insecure Handshake Simulation Errs for IE6 / XP.

Best Answer

Seems like your running Pound with SSL on port 443.

To fix this issue, Have following lines in /etc/pound.cfg and restart pound and test

DisableSSLv3 DisableSSLv2

Related Topic