How to actually disable SSL3 on a ubuntu 14.04 LTS

Question

I am running a server which has tomcat7 and apache2 on it. I issue the following command via another remote host:

openssl s_client -connect my_site:443 -ssl3

This returns:

CONNECTED(00000003)
139773982140064:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1462854225
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

I want to disable SSLv3 , how do i do it?

You need to do it in your web server config. Google "disable SSLv3 in apache" (or "nginx" if you're using that). — Neil Smithline, May 10 '16 at 04:38
SSLv3 seems to be already disabled. The TLS handshake fails: `...wrong version number...Cipher : 0000`. — Steffen Ullrich, May 10 '16 at 04:40
Because this is what the client tried to use. `s_client` is just a debugging tool so the output is not really user friendly. but the tell-tales in this case are the error message and that it did not get a common cipher (i.e. NONE or 0000). — Steffen Ullrich, May 10 '16 at 05:13
https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/659/17/how-to----disable-weak-ciphers-in-tomcat-7--8, but listen to @SteffenUllrich, he's the master of SSL. — Neil Smithline, May 10 '16 at 05:17

score 0 · Accepted Answer · answered May 10 '16 at 07:11

0

Add or update the following lines in your configuration:

SSLProtocol all -SSLv2 -SSLv3

Then run: sudo apache2ctl configtest && sudo service apache2 restart

answered May 10 '16 at 07:11

Nullpointer

164
8

Ravi - it sounds like the OP may be running Tomcat 7 as the web server as well. as the Servlet container. That's an atypical deployment strategy, but possible. That said, I'm really not certain based on the little information we have gotten from the OP. – Neil Smithline May 10 '16 at 14:39

How to actually disable SSL3 on a ubuntu 14.04 LTS

1 Answers1