SSLv3 and Certbot/Apache


Hi in my server centos 7.x I install certbot to use letsencrypt, but after all is setupped, apache still support sslv3 protocol.

I add also in the 2 virtualhost this directives:

SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3

but no change occur… Any ideas?


Have you reloaded apache since making the change to the virtualhost ?

If so, then please provide as much detail as possible ( domain name, do you have root access, do you use a control panel etc )


Thanks for your “speedy” reply.

Yes, of course a reload the config :wink:

I’ve a personal vps whit root access. This is the main configuration:

[root@jupiter ~]# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
[root@jupiter ~]# httpd -version
Server version: Apache/2.4.6 (CentOS)
Server built:   Jul 18 2016 15:30:14

I use LE with domain, and check SSLv3 is enabled using this:


You have an interesting configuration where you are offering 2 certificates (one self signed )

What is your full apache config ? can you paste it at or somewhere ?


Wich configuration you need? Is a simple apache wirh 2 virtualhost…


If you could paste the virtualhosts config and the default SSL config, that would be great ( edit your email address if it’s in there by all means )


That’s it, here are my configuration.


You don’t appear to be disabling

try changing your “SSLProtocol TLSv1.2” lines to

SSLProtocol all -SSLv3


SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1

depending how restrictive you want to be.


I already tryied but no results, but perhaps I use wrong files… In which files I need to write that directives?!


All of them where you have SSL defined - so in the list you have pasted to pastebin


I also suspect your default_ssl.conf file (which you didn’t paste) … just grep for 433 and then add to all those files :wink: remembering to reload apache of course after doing the updates.


You are right!
I was thinking that the default configuration was override by single virtualhost configuration…

Now putting in the default config

SSLProtocol all -SSLv2 -SSLv3

I take A on SSL LABS! Good!

My next step, is now to follow the directives at this site, probably you already know:

A brief consideration: even certbot can modify the default configuration of any server, but a simple alert about disabling poor ssl protocols and cipher IMHO must be a good idea… Or not?

Thanks a lot for all!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.