CentOS 6.5 Apache 2.2 disable SSLV3 and SSLV2

Support for security such as Firewalls and securing linux
Post Reply
PROINAGLTD
Posts: 2
Joined: 2014/10/16 09:27:07

CentOS 6.5 Apache 2.2 disable SSLV3 and SSLV2

Post by PROINAGLTD » 2014/10/16 13:04:50

Hello

My Centos 6.5 server looks still to be serving SSLv2 and SSLv3.

I have the /etc/httpd/conf.d/ssl.conf:

Code: Select all

##
## SSL Virtual Host Context
##

<VirtualHost _default_:443>

# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
#ServerName www.example.com:443

# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#   SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect.  Disable SSLv2 access by default:
SSLProtocol all -SSLv2 -SSLv3

#   SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
And at the end

Code: Select all

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
All config files with 'SSLEngine on' has SSLProtocol all -SSLv2 -SSLv3.

IS "SSLProtocol all -SSLv2 -SSLv"3 correct anywhere else i should look to disable the two outdated SSL versions.

Kind regards

Graham

jscarville
Posts: 126
Joined: 2014/06/17 21:50:37

Re: CentOS 6.5 Apache 2.2 disable SSLV3 and SSLV2

Post by jscarville » 2014/10/16 17:26:46

Test SSLv2:
openssl s_client -connect ip.add.re.ss:443 -ssl2

Test SSLv3:
openssl s_client -connect ip.add.re.ss:443 -ssl3

If you see an SSL handshake failure then that protocol is disabled.
Last edited by jscarville on 2014/10/16 18:28:35, edited 1 time in total.

aks
Posts: 3045
Joined: 2014/09/20 11:22:14

Re: CentOS 6.5 Apache 2.2 disable SSLV3 and SSLV2

Post by aks » 2014/10/16 18:08:07

Just a correction to the previous post:

Test SSLv3:
openssl s_client -connect ip.add.re.ss:443 -ssl3
(that's ssl3 not ssl2) - minor mistake but that's what copy & paste does to us (I know I'm so guilty of that it's unreal).

jscarville
Posts: 126
Joined: 2014/06/17 21:50:37

Re: CentOS 6.5 Apache 2.2 disable SSLV3 and SSLV2

Post by jscarville » 2014/10/16 18:29:20

Thanks,. I corrected the command.

PROINAGLTD
Posts: 2
Joined: 2014/10/16 09:27:07

Re: CentOS 6.5 Apache 2.2 disable SSLV3 and SSLV2

Post by PROINAGLTD » 2014/10/30 14:46:29

Hi

Sorry for Delay didn't realize the post had been approved. So the handshake failed?

Code: Select all

openssl s_client -connect 127.0.0.1:443 -ssl3   CONNECTED(00000003)
139821382432584:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40
139821382432584:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
when I ran if echo Q | openssl s_client -connect domain:443 -ssl3 2> /dev/null | grep -v "Cipher.*0000"; then echo "SSLv3 enabled"; else echo "SSLv3 disabled"; fi

Says:

Code: Select all

---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1414680066
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
SSLv3 enabled
Am I patched so can stop having nightmares over POODLE. :D

Graham

jscarville
Posts: 126
Joined: 2014/06/17 21:50:37

Re: CentOS 6.5 Apache 2.2 disable SSLV3 and SSLV2

Post by jscarville » 2014/10/30 18:53:20

PROINAGLTD wrote:Hi

Sorry for Delay didn't realize the post had been approved. So the handshake failed?
Yes, the handshake failed

139821382432584:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:

chant9
Posts: 1
Joined: 2014/12/16 18:03:31

Re: CentOS 6.5 Apache 2.2 disable SSLV3 and SSLV2

Post by chant9 » 2014/12/16 19:29:37

I'm also trying to disable SSLV3 and SSLV2 but after checking /etc/httpd/conf.d/ssl.conf all the Virtual Host section seems to be commented out and its the bottom of the file. Should I just remove 1 of the # off each line?

/etc/httpd/conf.d/ssl.conf:

Code: Select all

##
## SSL Virtual Host Context
##

#<VirtualHost _default_:443>
#
## General setup for the virtual host, inherited from global configuration
##DocumentRoot "/var/www/html"
##ServerName www.example.com:443
#
## Use separate log files for the SSL virtual host; note that LogLevel
## is not inherited from httpd.conf.
#ErrorLog logs/ssl_error_log
#TransferLog logs/ssl_access_log
#LogLevel warn
#
##   SSL Engine Switch:
##   Enable/Disable SSL for this virtual host.
#SSLEngine on
#
##   SSL Protocol support:
## List the enable protocol levels with which clients will be able to
## connect.  Disable SSLv2 access by default:
#SSLProtocol all -SSLv2
#
##   SSL Cipher Suite:
## List the ciphers that the client is permitted to negotiate.
## See the mod_ssl documentation for a complete list.
#SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
#
##   Server Certificate:
## Point SSLCertificateFile at a PEM encoded certificate.  If
## the certificate is encrypted, then you will be prompted for a
## pass phrase.  Note that a kill -HUP will prompt again.  A new
## certificate can be generated using the genkey(1) command.
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
#
##   Server Private Key:
##   If the key is not combined with the certificate, use this
##   directive to point at the key file.  Keep in mind that if
##   you've both a RSA and a DSA private key you can configure
##   both in parallel (to also allow the use of DSA ciphers, etc.)
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
#
##   Server Certificate Chain:
##   Point SSLCertificateChainFile at a file containing the
##   concatenation of PEM encoded CA certificates which form the
##   certificate chain for the server certificate. Alternatively
##   the referenced file can be the same as SSLCertificateFile
##   when the CA certificates are directly appended to the server
##   certificate for convinience.
##SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
#
##   Certificate Authority (CA):
##   Set the CA certificate verification path where to find CA
##   certificates for client authentication or alternatively one
##   huge file containing all of them (file must be PEM encoded)
##SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
#
##   Client Authentication (Type):
##   Client certificate verification type and depth.  Types are
##   none, optional, require and optional_no_ca.  Depth is a
##   number which specifies how deeply to verify the certificate
##   issuer chain before deciding the certificate is not valid.
##SSLVerifyClient require
##SSLVerifyDepth  10
#
##   Access Control:
##   With SSLRequire you can do per-directory access control based
##   on arbitrary complex boolean expressions containing server
##   variable checks and other lookup directives.  The syntax is a
##   mixture between C and Perl.  See the mod_ssl documentation
##   for more details.
##<Location />
##SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
##            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
##            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
##            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
##            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
##           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
##</Location>
#
##   SSL Engine Options:
##   Set various options for the SSL engine.
##   o FakeBasicAuth:
##     Translate the client X.509 into a Basic Authorisation.  This means that
##     the standard Auth/DBMAuth methods can be used for access control.  The
##     user name is the `one line' version of the client's X.509 certificate.
##     Note that no password is obtained from the user. Every entry in the user
##     file needs this password: `xxj31ZMTZzkVA'.
##   o ExportCertData:
##     This exports two additional environment variables: SSL_CLIENT_CERT and
##     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
##     server (always existing) and the client (only existing when client
##     authentication is used). This can be used to import the certificates
##     into CGI scripts.
##   o StdEnvVars:
##     This exports the standard SSL/TLS related `SSL_*' environment variables.
##     Per default this exportation is switched off for performance reasons,
##     because the extraction step is an expensive operation and is usually
##     useless for serving static content. So one usually enables the
##     exportation for CGI and SSI requests only.
##   o StrictRequire:
##     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
##     under a "Satisfy any" situation, i.e. when it applies access is denied
##     and no other module can change it.
##   o OptRenegotiate:
##   o OptRenegotiate:
##     This enables optimized SSL connection renegotiation handling when SSL
##     directives are used in per-directory context.
##SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
#<Files ~ "\.(cgi|shtml|phtml|php3?)$">
#    SSLOptions +StdEnvVars
#</Files>
#<Directory "/var/www/cgi-bin">
#    SSLOptions +StdEnvVars
#</Directory>
#
##   SSL Protocol Adjustments:
##   The safe and default but still SSL/TLS standard compliant shutdown
##   approach is that mod_ssl sends the close notify alert but doesn't wait for
##   the close notify alert from client. When you need a different shutdown
##   approach you can use one of the following variables:
##   o ssl-unclean-shutdown:
##     This forces an unclean shutdown when the connection is closed, i.e. no
##     SSL close notify alert is send or allowed to received.  This violates
##     the SSL/TLS standard but is needed for some brain-dead browsers. Use
##     this when you receive I/O errors because of the standard approach where
##     mod_ssl sends the close notify alert.
##   o ssl-accurate-shutdown:
##     This forces an accurate shutdown when the connection is closed, i.e. a
##     SSL close notify alert is send and mod_ssl waits for the close notify
##     alert of the client. This is 100% SSL/TLS standard compliant, but in
##     practice often causes hanging connections with brain-dead browsers. Use
##     this only for browsers where you know that their SSL implementation
##     works correctly.
##   Notice: Most problems of broken clients are also related to the HTTP
##   keep-alive facility, so you usually additionally want to disable
##   keep-alive for those clients, too. Use variable "nokeepalive" for this.
##   Similarly, one has to force some clients to use HTTP/1.0 to workaround
##   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
##   "force-response-1.0" for this.
#SetEnvIf User-Agent ".*MSIE.*" \
#         nokeepalive ssl-unclean-shutdown \
#         downgrade-1.0 force-response-1.0
#
##   Per-Server Logging:
##   The home of a custom SSL log file. Use this when you want a
##   compact non-error SSL logfile on a virtual host basis.
#CustomLog logs/ssl_request_log \
#          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
#
#</VirtualHost>
Thanks in advance

User avatar
TrevorH
Forum Moderator
Posts: 29914
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CentOS 6.5 Apache 2.2 disable SSLV3 and SSLV2

Post by TrevorH » 2014/12/16 21:44:12

If everything in ssl.conf is commented out and your server is listening on port 443 and serving web pages over https then the config must be in a different file. The default location is ssl.conf but a previous admin may have set it up differently - only you can tell that by looking through all the various files in /etc/httpd/conf and /etc/httpd/conf.d.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

Post Reply

Return to “CentOS 6 - Security Support”