I'm attempting to disable SSLv3 in Apache which I've installed on Windows via xampp. But I'm having trouble figuring out how. I was told that I needed to add
SSLProtocol All -SSLv2 -SSLv3
To my ssl config file but I'm not sure where that is.
I see a
C:\xampp\apache\conf\extra\httpd-ssl.conf
but from the research I've done heard that I'm looking for a ssl.conf file which doesn't seem to exist.
Any ideas?
Edit also, from the tutorials I was reading, I'm still not sure where in the config file I'd place the
SSLProtocol All -SSLv2 -SSLv3
if I was able to find the config file.
Had to figure this out myself and too like 30 minutes of Googling to figure it out. Just thought I'd answer it and leave this here for anyone else who comes by and looks at it.
xampp > apache > conf > extra > httpd-ssl.conf
Just add
SSLProtocol All -SSLv2 -SSLv3
right below
Listen 443
and then save and restart. Afterwards, goto http://poodlebleed.com/ and enter your domain and port to make sure that you are now good.
Hope this helps!
Related
I have been asked to disable TLS1.0(on SSLV3) from apache running on Solaris. I am new to infrastructure stuff. I did some googling and most of them talk about something like this
SSLProtocol all -TLSv1 in the ssl.conf file
But, when i go to /etc/apache2/ssl.conf file there is no setting defined for SSLProtocol.
Is it that since there is no settings defined for SSLProtocol that all tls versions are being allowed?
Also , where should i add the SSLProtocl settings in the ssl.conf files?
Many thanks for all replies
Go to the apache's folder, and just run:
grep -iRl "SSLProtocol" ./
And then, if you found a file containing it, change it to the following, or if you didn't find anything, open the ssl.conf, and add this line after the lines starting with SSL:
SSLProtocol -all +TLSv1.2
If your openssl version is above version 1.1.1 (use openssl version to check), and if your apache version is above 2.4.36 (use httpd -v to check), then you can also use TLSv1.3. If you will use it without the above mentioned requirements of the versions, then you will get an error saying Illegal Protocol. So, if you have the above requirements you can use:
SSLProtocol -all +TLSv1.2 +TLSv1.3
Also, I am confused about the SSLv3 you mentioned. You must not use SSLv3 even if you want to. Check https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/.
I am facing an issue with apache configuration for the last few days. I have rebuild apache more than 50 times to fix the issue but the issue still exist. The problem seems to be with the apache cipher suite used. The issue exists with the latest google chrome/Firefox browsers. I have already enabled TLS version on the server and also tried disabling SSLv2 and SSLv3 on server but this didn't work. Please see the apache ciphers used. Please see that i have already followed the main troubleshooting articles below but the issue is still their.
1) http://www.liquidweb.com/kb/how-to-disable-sslv3-and-protect-your-whmcpanel-server-from-poodle/
2) https://poodle.io/servers.html
Also please see the Apache ciphers used below.
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:
DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:
ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:
ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:
DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA
:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
Please help me in fixing this. Thanks in advance.
Thanks
#ssl.conf
SSLHonorCipherOrder on
SSLProtocol -ALL -SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT
Here is snapshot of my site which using above configuration.
#ssl.conf
SSLHonorCipherOrder on
SSLProtocol -ALL -SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384: DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256: ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA: ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA: DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA :!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
# add all required ciphers in existing configuration would please test this
I was able to fix the above issue after reinstalling the SSL certificate. I used the same certificate, Key and bundle for reinstallation. Thankyou for your help.
Thanks
Trying to setup SSL on Apache (on AWS Linux). Firefox gives me these details in it's nastygram:
The certificate is not trusted because it is self-signed.
The certificate is only valid for ip-###-##-#-##
I'm currently working under the assumption that this is a problem with the ChainFile or CA cert - quite possibly because I dont have the correct info in httpd.conf. Can you comment on the code below or let me know where else to look for the error?
httpd.conf:
<VirtualHost *:443>
DocumentRoot /var/www/html
ServerName https://###-##-#-##
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /home/ec2-user/StartSSLcert.pem
SSLCertificateKeyFile /home/ec2-user/StartSSLkey.pem
SSLCertificateChainFile /home/ec2-user/sub.class1.server.sha1.ca.pem
SSLCACertificateFile /home/ec2-user/ca.pem
</VirtualHost>
This page has been my primary reference: http://www.startssl.com/?app=21 However, it includes many lines of code not in other examples I've found online with no description of what they do.
I've been guess-and-checking between the example above and a simpler example like: http://www.sslshopper.com/apache-server-ssl-installation-instructions.html
Everything I try is either untrusted by Firefox or I get errors when restarting apache. Ideas?
by default, the ssl settings in:
/etc/httpd/conf.d/ssl.conf
override the corresponding block in:
/etc/httpd/conf/httpd.conf
When using AWS you need to edit ssl.conf
"The certificate is only valid for ip-###-##-#-##"
credit due here:
Cannot setup SSL keys on my apache server in AWS EC2
If your server have more than one IP address, replace the * with IP address inside""
See: http://httpd.apache.org/docs/2.4/mod/core.html#virtualhost
Whats more, make sure you create your private key, CSR correctly.
See:https://library.linode.com/security/ssl-certificates/commercial#sph_create-a-certificate-signing-request
In a recent security scan we did on our servers we got the following comment:
Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines:
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
For Apache/apache_ssl include the following line in the configuration file (httpsd.conf):
SSLRequireCipher ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
the mod_ssl.conf file was updated as instructed
updating the apache2.con with this line:
SSLRequireCipher ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
And restarting Apache2 , I get:
Invalid command 'SSLRequireCipher', perhaps misspelled or defined by a
module not included in the server configuration
I tried this line in the apache2.conf:
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
and Apache2 restarted successfully , but the on rerunning the scan I got the same:
SSL Server Allows Anonymous Authentication Vulnerability
Try SSLCipherSuite for the general configuration and SSLRequire with a regexp on %{SSL_CIPHER} if you need a require for a specific part of your server.
EDIT:
If you're running on Ubuntu, the default configuration in /etc/apache2/mods-enabled/ssl.conf should solve your problems:
SSLCipherSuite HIGH:MEDIUM:!ADH
SSLProtocol all -SSLv2
I'm trying to get a Fedora 14 server running Apache 2.2.17 to pass a PCI-DSS compliance scan by McAfee ScanAlert. My first attempt using the default SSLCipherSuite and SSLProtocol directives set in ssl.conf...
SSLProtocol ALL -SSLv2
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
failed citing that weak ciphers were enabled. Scans with ssllabs and serversniff tools revealed that 40 and 56 bit keys were indeed available.
I then changed to...
SSLProtocol -ALL +SSLv3 +TLSv1
and tried all of the following strings reported on various sites to pass PCI scans from assorted vendors...
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH
SSLCipherSuite ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL
SSLCipherSuite ALL:!ADH:!NULL:!EXP:!SSLv2:!LOW:RC4+RSA:+HIGH:+MEDIUM
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
SSLCipherSuite ALL:!ADH:!NULL:!EXP:!SSLv2:!LOW:!MEDIUM:RC4+RSA:+HIGH
I am restarting apache after updates and apachectl configtest says that my syntax is ok. Subsequent ScanAlert scans have all failed and other scanning tools continue to show 40 and 56 bit ciphers available. I have tried adding SSLProtocol and SSLCipherSuite directly to the VirtualHost in httpd.conf and that has not helped.
It actually feels like something somewhere is overriding these settings but I cannot find anything anywhere that sets these values other than ssl.conf.
If someone could provide a known good SSLCipherSuite that has passed a recent PCI scan it would help a lot in tracking down my problem.
Thanks.
As new vulnerabilities are discovered and browsers are upgraded, the answers here can (will) become outdated. I'd suggest you rely on Mozilla SSL Configuration Generator to check which configuration you should use.
UPDATE 2018: It's reasonable to enforce Perfect Forward Secrecy now, unless you need to support older browsers specifically. As of November 2018, only the "modern" profile will enable Perfect Forward Secrecy. Read more about it at:
SSL Labs: Deploying Forward Secrecy
Configuring Apache, Nginx, and OpenSSL for Forward Secrecy
After hours of searching and hair pulling I found my problem.
The default SSLProtocol and SSLCipherSuite directives in my ssl.conf are stored in a default container labeled as <VirtualHost _default_:443>.
My actual site has it's own container labeled with it's IP address eg: <VirtualHost 64.34.119.12:443>. Changing the values in the _default_ container had no affect but adding the stronger SSLProtocol and SSLCipherSuite directives directly to the site specific VirtualHost container finally allowed them to take effect.
Still not sure why adjusting the _default_ container or having them in the VirtualHost container in httpd.conf didn't work.
As a definitive answer to the question, I used...
SSLCipherSuite ALL:!ADH:!NULL:!EXP:!SSLv2:!LOW:!MEDIUM:RC4+RSA:+HIGH
to pass my ScanAlert scan. I would bet that most of the other strings above would work as well.
Did you tell Apache to enforce cipher order?
SSLHonorCipherOrder on
FYI - I found that this setting:
SSLCipherSuite HIGH:!SSLv2:!ADH
Produced the exact same list of protocols as this setting:
SSLCipherSuite ALL:!ADH:!NULL:!EXP:!SSLv2:!LOW:!MEDIUM:RC4+RSA:+HIGH
According to:
openssl ciphers -v 'ALL:!ADH:!NULL:!EXP:!SSLv2:!LOW:!MEDIUM:RC4+RSA:+HIGH'
openssl ciphers -v 'HIGH:!SSLv2:!ADH'
The following configuration is recommended by Qualys, it gave us a A on their scanner
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
Yes, also make sure Apache is able to read the new configuration. I place this directly inside the virtual host container.
From their website: https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy
Look here Mozilla Wiki.
The goal of this document is to help operational teams with the configuration of TLS on servers.