Disable SSL3 from certificate


#1

Hi every one
after update my certificate i use https://www.ssllabs.com/ssltest to test, it show that i have to disable SSL3, am trying this HOWTO: A+ with all 100%'s on SSL Labs test using apache2.4 (READ WARNINGS) but not working for me.
am using ubuntu 12.04, apache 2.2 and openssl 1.1
any help will be much appreciated


#2

are you really sure you want to do that ?

If it’s a test domain, and very few people need to use it, and you’re doing it for education purposes … then all is good :slight_smile: if it’s a life domain, that users want to get to then having all 100’s on ssllabs will block some of your users.

Can you provide a little more info ? are you trying to get to all 100’s ? or just get a good secure site, available to most users ?
What’s the domain name ?
What’s the current apache config for that domain ( pastebin.com is probably the easiest place to paste that )


#3

thank you for reply
it not important to get 100s just good secure will be enough, my domain is mail1.uofk.edu
and this is the apache vhost conf file:

SSLEngine on
SSLCompression off
SSLCipherSuite "HIGH:!aNULL:!MD5:!3DES:!CAMELLIA:!AES128"
SSLHonorCipherOrder on
SSLCertificateFile /etc/letsencrypt/live/mail1.uofk.edu/fullchaindh.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mail1.uofk.edu/privkey.pem


#4

OK, that makes much more sense :slight_smile:

https://mozilla.github.io/server-side-tls/ssl-config-generator/ is a good resource

in your above example, I’d start by adding the line

SSLProtocol all -SSLv3

then reload apache and test again


#5

:grinning: this is great, SSL3 disabled now and my rate become B now
it gave me weak DH, do u think it’s important to increase 1024 bit to 2048?


#6

D to B - that’s good - going in the right direction :slight_smile:

Personally I would, yes.

It’s worth using the Mozilla link above to determine which ciphers etc are good for you.
One to be careful with though is

Header always set Strict-Transport-Security “max-age=15768000”

especially if including options like subdomains. Basically it’s forcing your users to always use HTTPS ( which is a good thing ), but only once you have tested and made sure everything is working, otherwise you will block your users from your site :wink:


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.