Ssl – How to disable SSLv1/SSLv2/SSLv3 protocols to block Poodle to Apache 2.4.9 on Windows Server 2008 R2

apache-2.4poodlessltlswindows-server-2008

How can I disable SSLv1, SSLv2 and SSLv3 protocols on Apache 2.4.9 installed on a Windows Server 2008 R2 as a service? (I am not using IIS.)

I still want to have TLSv1.2 protocol on my server.

Here are some of my environment variables:

SERVER_SOFTWARE                          Apache/2.4.9 (Win32) PHP/5.5.12 OpenSSL/1.0.1g 
SSL_PROTOCOL                             TLSv1.2 
Registered Stream Socket Transports      tcp, udp, ssl, sslv3, sslv2, tls

Best Answer

In conf.d/ssl.conf, conf/extra/httpd-ssl.conf, or wherever else you have your mod_ssl settings configured:

SSLProtocol All -SSLv2 -SSLv3

SSLv1 isn't a thing in mod_ssl. The All directive is a shortcut for +SSLv2 +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2, hence the manual removal of v2 and v3.

Related Solutions

Ssl – Internet Explorer 8 – TLS Fatal Error Close Notify – Oracle HTTP – Server Apache 2.2.22.0

SSLCipherSuite ALL:+HIGH:-MEDIUM:-LOW:-SSLv2:-SSLv3

Since you disable all SSL 3.0 ciphers and since TLS 1.0 and TLS 1.1 just use the SSL 3.0 ciphers and since IE 8 does not support TLS 1.2 there will be no shared ciphers. You will probably find some error messages about this in your log files.

Note, that the POODLE attack is a design flaw in the SSL 3.0 protocol, not in the SSL 3.0 ciphers. Thus you should only disable the protocol, not the ciphers.

Also, your current cipher suite includes very dangerous ciphers, because it includes ADH ciphers which don't require any form of identification of the server. With such ciphers man-in-the-middle attacks are possible.

Edit: in your comment you mention that the client is using Windows 7. Windows 7 should support TLS 1.2 but since the client obviously did not do much updates on the system (otherwise there would be no IE 8 in use) it might be that there are problems with IE 8 and TLS 1.2.

How to disable TLS v1 in Apache v2.2 (Openssl 1.0.1)

It's a little bit old but if this can help someone... Here we go!

It is more related to the first "-" character codification, it is not a standard UTF-8 Minus sign, and Apache does it not recognizes it.

SSLProtocol All **–**TLSv1 -SSLv2 -SSLv3

This is the error I get in my server:

Syntax error on line 162 of /etc/httpd/vhosts.d/test.conf:
SSLProtocol: Illegal protocol '\xe2\x80\x93TLSv1'

Just remove it and write a Minus sign manually, without pasting it from another source. This worked for me.

Thanks and best regards!

Best Answer

Related Solutions

Ssl – Internet Explorer 8 – TLS Fatal Error Close Notify – Oracle HTTP – Server Apache 2.2.22.0

How to disable TLS v1 in Apache v2.2 (Openssl 1.0.1)

Related Topic