SSLv3 and Certbot/Apache

technofab · November 28, 2016, 1:35pm

Hi in my server centos 7.x I install certbot to use letsencrypt, but after all is setupped, apache still support sslv3 protocol.

I add also in the 2 virtualhost this directives:

SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3

but no change occur… Any ideas?

serverco · November 28, 2016, 1:44pm

Have you reloaded apache since making the change to the virtualhost ?

If so, then please provide as much detail as possible ( domain name, do you have root access, do you use a control panel etc )

technofab · November 28, 2016, 1:54pm

Thanks for your “speedy” reply.

Yes, of course a reload the config

I’ve a personal vps whit root access. This is the main configuration:

[root@jupiter ~]# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
[root@jupiter ~]# httpd -version
Server version: Apache/2.4.6 (CentOS)
Server built:   Jul 18 2016 15:30:14

I use LE with grambot.tk domain, and check SSLv3 is enabled using this:
https://www.ssllabs.com/ssltest/analyze.html?d=grambot.tk

serverco · November 28, 2016, 3:51pm

You have an interesting configuration where you are offering 2 certificates (one self signed )

What is your full apache config ? can you paste it at pastebin.com or somewhere ?

technofab · November 29, 2016, 10:12am

Wich configuration you need? Is a simple apache wirh 2 virtualhost…

serverco · November 29, 2016, 2:58pm

If you could paste the virtualhosts config and the default SSL config, that would be great ( edit your email address if it’s in there by all means )

technofab · November 30, 2016, 1:14pm

That’s it, here are my configuration.

http://pastebin.com/Brd6wVtG

serverco · November 30, 2016, 3:24pm

You don't appear to be disabling

try changing your "SSLProtocol TLSv1.2" lines to

SSLProtocol all -SSLv3

or

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1

depending how restrictive you want to be.

technofab · November 30, 2016, 4:52pm

I already tryied but no results, but perhaps I use wrong files… In which files I need to write that directives?!

serverco · November 30, 2016, 5:14pm

All of them where you have SSL defined - so in the list you have pasted to pastebin

/etc/httpd/sites-enabled/grambot.tk-le-ssl.conf
/etc/httpd/sites-enabled/whereismycar.tk-le-ssl.conf

I also suspect your default_ssl.conf file (which you didn't paste) ... just grep for 433 and then add to all those files remembering to reload apache of course after doing the updates.

technofab · December 1, 2016, 7:17am

You are right!
I was thinking that the default configuration was override by single virtualhost configuration…

Now putting in the default config

SSLProtocol all -SSLv2 -SSLv3

I take A on SSL LABS! Good!

My next step, is now to follow the directives at this site, probably you already know:
https://mozilla.github.io/server-side-tls/ssl-config-generator/

A brief consideration: even certbot can modify the default configuration of any server, but a simple alert about disabling poor ssl protocols and cipher IMHO must be a good idea… Or not?

Thanks a lot for all!

system · December 31, 2016, 7:17am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.