1

One of my client wanted me to upgrade openssl and Apache on his server because he want to receive an A from SSLLabs. I went ahead and upgraded to Apache 2.4.18 and openssl to version 1.0.2e. I then modified Apache's SSL configuration to match the following:

# SSL Protocols/Ciphers
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256::kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
SSLCompression off

I ran an SSL Test from SSL Labs and I still receive the following warning:

This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.

In the protocols list, it says YES to SSL 3 even if the above statement says it should be disabled.

I've tried many ciphers combinisations by searching on the web and I always gets the same result. I've also searched in any *.conf file for an SSL configuration but there's none except my SSL file above.

The website's URL: https://orders.expotools.biz

SSL Labs: https://www.ssllabs.com/ssltest/analyze.html?d=orders.expotools.biz

David Bélanger
  • 227
  • 1
  • 2
  • 12
  • 1
    Are you sure this bit of configuration actually gets applied? Apache has non-intuitive (at first glance) rules for SSL configuration. That's because before the TLS implemented support for [SNI](https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI), all SSL configuration was essentially global (no matter whether you've defined it inside an virtual host section), and, IIRC, the first one found by Apache winned with the rest being ignored. See [this](https://wiki.apache.org/httpd/CommonMisconfigurations#Multiple_SSL_name_based_virtual_hosts_on_the_same_interface.) for more into. – kostix Jan 21 '16 at 14:17
  • 1
    I'd start with figuring out which vhost gets loaded first, and making sure its configuration defines sensible defaults for SSL/TLS. – kostix Jan 21 '16 at 14:18
  • There's only 1 vhost with SSL. After doing a grep search, only this file on the server has the wording "SSLProtocol" or "SSLCipherSuite". If I change the configuration at this point, the results are different. I'll keep looking. – David Bélanger Jan 21 '16 at 14:19
  • It seems like you have solved your problem. You should tell us how you did it. – user9517 Jan 23 '16 at 09:53
  • @lain Sorry, forgot to post the solution. I posted it below. – David Bélanger Jan 23 '16 at 17:09

2 Answers2

0

ssllabs could be caching the result. I recall using a link or button on the ssllabs results page to clear the cache and recheck the web server.

Chad Clark
  • 136
  • 3
0

In order to make it work, I had to recompile openssl with the following command ./config --prefix=/usr no-threads shared no-ssl3. I also had to recompile apache after to enable the changes. Work like a charm.

David Bélanger
  • 227
  • 1
  • 2
  • 12