SSLv3 and Certbot/Apache


#1

Hi in my server centos 7.x I install certbot to use letsencrypt, but after all is setupped, apache still support sslv3 protocol.

I add also in the 2 virtualhost this directives:

SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3

but no change occur… Any ideas?


#2

Have you reloaded apache since making the change to the virtualhost ?

If so, then please provide as much detail as possible ( domain name, do you have root access, do you use a control panel etc )


#3

Thanks for your “speedy” reply.

Yes, of course a reload the config :wink:

I’ve a personal vps whit root access. This is the main configuration:

[root@jupiter ~]# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
[root@jupiter ~]# httpd -version
Server version: Apache/2.4.6 (CentOS)
Server built:   Jul 18 2016 15:30:14

I use LE with grambot.tk domain, and check SSLv3 is enabled using this:
https://www.ssllabs.com/ssltest/analyze.html?d=grambot.tk


#4

You have an interesting configuration where you are offering 2 certificates (one self signed )

What is your full apache config ? can you paste it at pastebin.com or somewhere ?


#5

Wich configuration you need? Is a simple apache wirh 2 virtualhost…


#6

If you could paste the virtualhosts config and the default SSL config, that would be great ( edit your email address if it’s in there by all means )


#7

That’s it, here are my configuration.

http://pastebin.com/Brd6wVtG


#8

You don’t appear to be disabling

try changing your “SSLProtocol TLSv1.2” lines to

SSLProtocol all -SSLv3

or

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1

depending how restrictive you want to be.


#9

I already tryied but no results, but perhaps I use wrong files… In which files I need to write that directives?!


#10

All of them where you have SSL defined - so in the list you have pasted to pastebin

/etc/httpd/sites-enabled/grambot.tk-le-ssl.conf
/etc/httpd/sites-enabled/whereismycar.tk-le-ssl.conf

I also suspect your default_ssl.conf file (which you didn’t paste) … just grep for 433 and then add to all those files :wink: remembering to reload apache of course after doing the updates.


#11

You are right!
I was thinking that the default configuration was override by single virtualhost configuration…

Now putting in the default config

SSLProtocol all -SSLv2 -SSLv3

I take A on SSL LABS! Good!

My next step, is now to follow the directives at this site, probably you already know:
https://mozilla.github.io/server-side-tls/ssl-config-generator/

A brief consideration: even certbot can modify the default configuration of any server, but a simple alert about disabling poor ssl protocols and cipher IMHO must be a good idea… Or not?

Thanks a lot for all!


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.