How to Disable SSLv2 for Apache httpd

Question

I just tested my site on https://www.ssllabs.com/ and it said SSLv2 is insecure and I should disable that along with weak Cipher Suites.

How can I disable that? I tried the following but it isn’t working.

1. Went to /etc/httpd/conf.d/ssl.conf by ftp. Added

   SSLProtocol -ALL +SSLv3 +TLSv1
   SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT
   

2. Connected to server by putty and gave service httpd restart command.

But still its showing unsecure on the site. How can I Fix it? My server is Plesk 10.3.1 CentOS. There are 3-4 sites on the same server.

Answer 1

Change SSLProtocol and SSLCipherSuite lines to,

SSLProtocol -ALL +SSLv3 +TLSv1 -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH

Reload your apache for the configuration to take effect.

The SSLHonorCipherOrder On will try the ciphers in the order it is specified.

Above configuration passes the check on ssllabs.com except for TLS version. My CentOS 6 only supports TLS 1.0 because of OpenSSL 1.0.0. OpenSSL 1.0.1 supports TLS 1.1 and 1.2.

Do you have any load balancer or proxy in front of your apache?

Answer 2

You might want to make sure that there isn't another SSLProtocol or SSLCiperSuite direcive anywhere in your Apache config that's overriding the one you just added.

If you can't find it, try adding those two to your SSL vhost rather than ssl.conf. This will help ensure that the correct ones are the last ones applied.

Answer 3

The one worked for me

SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !EDH"

Try this one.

Answer 4

To disable SSL in Centos6.x Just run following command:

yum remove mod_ssl

Then

service httpd reload

To enable SSL again again install "mod_ssl" package like:

yum install mod_ssl

Then

service httpd reload