Disable SSL3 from certificate

Hi every one
after update my certificate i use https://www.ssllabs.com/ssltest to test, it show that i have to disable SSL3, am trying this HOWTO: A+ with all 100%'s on SSL Labs test using apache2.4 (READ WARNINGS) but not working for me.
am using ubuntu 12.04, apache 2.2 and openssl 1.1
any help will be much appreciated

are you really sure you want to do that ?

If it's a test domain, and very few people need to use it, and you're doing it for education purposes ... then all is good :slight_smile: if it's a life domain, that users want to get to then having all 100's on ssllabs will block some of your users.

Can you provide a little more info ? are you trying to get to all 100's ? or just get a good secure site, available to most users ?
What's the domain name ?
What's the current apache config for that domain ( pastebin.com is probably the easiest place to paste that )

thank you for reply
it not important to get 100s just good secure will be enough, my domain is mail1.uofk.edu
and this is the apache vhost conf file:

SSLEngine on
SSLCompression off
SSLCipherSuite "HIGH:!aNULL:!MD5:!3DES:!CAMELLIA:!AES128"
SSLHonorCipherOrder on
SSLCertificateFile /etc/letsencrypt/live/mail1.uofk.edu/fullchaindh.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mail1.uofk.edu/privkey.pem

OK, that makes much more sense :slight_smile:

Redirecting to ssl-config.mozilla.org... is a good resource

in your above example, I'd start by adding the line

SSLProtocol all -SSLv3

then reload apache and test again

:grinning: this is great, SSL3 disabled now and my rate become B now
it gave me weak DH, do u think it’s important to increase 1024 bit to 2048?

D to B - that's good - going in the right direction :slight_smile:

Personally I would, yes.

It's worth using the Mozilla link above to determine which ciphers etc are good for you.
One to be careful with though is

Header always set Strict-Transport-Security "max-age=15768000"

especially if including options like subdomains. Basically it's forcing your users to always use HTTPS ( which is a good thing ), but only once you have tested and made sure everything is working, otherwise you will block your users from your site :wink:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.