8

I just tested my site on https://www.ssllabs.com/ and it said SSLv2 is insecure and I should disable that along with weak Cipher Suites.

How can I disable that? I tried the following but it isn’t working.

  1. Went to /etc/httpd/conf.d/ssl.conf by ftp. Added

    SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT

  2. Connected to server by putty and gave service httpd restart command.

But still its showing unsecure on the site. How can I Fix it? My server is Plesk 10.3.1 CentOS. There are 3-4 sites on the same server.

phemmer
  • 5,909
  • 2
  • 27
  • 36
Yahoo
  • 141
  • 1
  • 1
  • 6
  • A few years ago I had problem while renewing an ssl certificate. The new configuration was ignored, even after an apache restart. Stopping apache then starting apache solved the problem. –  Aug 12 '12 at 16:22
  • @EricDANNIELOU - I rebooted the whole server , Still no luck – Yahoo Aug 12 '12 at 16:23

4 Answers4

10

Change SSLProtocol and SSLCipherSuite lines to,

SSLProtocol -ALL +SSLv3 +TLSv1 -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH

Reload your apache for the configuration to take effect.

The SSLHonorCipherOrder On will try the ciphers in the order it is specified.

Above configuration passes the check on ssllabs.com except for TLS version. My CentOS 6 only supports TLS 1.0 because of OpenSSL 1.0.0. OpenSSL 1.0.1 supports TLS 1.1 and 1.2.

Do you have any load balancer or proxy in front of your apache?

Chida
  • 2,491
  • 1
  • 17
  • 29
  • I Added the lines that you mentioned above , But still it doesnt work . When I check on `www.ssllabs.com `it still shows that its enabled . I am Unaware about ` load balancer or proxy in front of apache` , How can I check this ? I'll let you know the details what ever you need to know. – Yahoo Aug 12 '12 at 13:59
  • However when I run this , I get an Error . So it seems its disabled ,but the site isn't showing it. `openssl s_client -ssl2 -connect localhost:443 CONNECTED(00000003) 21731:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428: ]0;root@u15341216:~[root@u15341216 ~]# ` – Yahoo Aug 12 '12 at 14:06
  • It could be coming from your loadbalancer or proxy from some other backend application. Without much details on your setup/architecture, it is hard to debug. The configuration I mentioned, works for my apache that serves SSL directly and ssllabs.com gives me a rating of 88. – Chida Aug 12 '12 at 14:15
  • So I should Disable the load balancer , If its there on the system ? How can I find out if its installed on not? – Yahoo Aug 12 '12 at 14:18
  • If apache listens on port *:80 and you server has the public ip corresponding to your website, there is no loadbalancer. Also check dns records for round robin. –  Aug 12 '12 at 16:28
  • Could you post your apache configuration files? – Chida Aug 12 '12 at 19:40
  • Adi, did this work for you? Could you post your apache config files? – Chida Aug 17 '12 at 18:02
  • @Chida = No . Its still not working . Do you need the ssl.conf file ? – Yahoo Aug 20 '12 at 07:07
  • @Chida- I can email them , Can I know your email Id ? – Yahoo Aug 20 '12 at 07:17
  • @EricDANNIELOU - I uploaded the Files at http://adimathur.com/ssl.zip – Yahoo Aug 27 '12 at 03:54
  • @Chida -I uploaded the Files at http://adimathur.com/ssl.zip – Yahoo Aug 27 '12 at 03:54
  • It worked for my CentOS server and the grade now is A from ssllabs.com. Thank you, Chida!! – Ilia Ross Sep 05 '13 at 18:45
3

You might want to make sure that there isn't another SSLProtocol or SSLCiperSuite direcive anywhere in your Apache config that's overriding the one you just added.

If you can't find it, try adding those two to your SSL vhost rather than ssl.conf. This will help ensure that the correct ones are the last ones applied.

Ladadadada
  • 26,337
  • 7
  • 59
  • 90
  • There isnt any duplicate entry in the file . How can I check in SSL Vhost ? Where is this file placed ? (Am new here ) – Yahoo Aug 04 '12 at 08:02
  • 1
    Using PuTTY, `grep -r SSLProtocol /etc/httpd` should find any duplicates. As for the SSL vhost, I don't know where Plesk puts them but it will probably be with all the other vhosts. A recursive grep for `VirtualHost`, `SSLCertificateFile` or the documentroot will probably do the trick. – Ladadadada Aug 04 '12 at 08:26
  • `/var/www/vhosts/mydomain/conf/vhost_ssl.conf` & `/var/www/vhosts/mydomain/conf/vhost.conf` In both the files I have Added `SSLProtocol -ALL +SSLv3 +TLSv1 SSLHonorCipherOrder On SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM` still isnt working :/ – Yahoo Aug 04 '12 at 08:49
0

The one worked for me 

SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !EDH"

Try this one.

Hamzah AbuAloush
  • 1
  • 1
-2

To disable SSL in Centos6.x Just run following command:

yum remove mod_ssl

Then

service httpd reload

To enable SSL again again install "mod_ssl" package like:

yum install mod_ssl

Then

service httpd reload

user3060223
  • 1