Page 1 of 1

Apache 2.4.6: SSLProtocol bug and Poodle

Posted: 2015/07/22 23:17:55
by kafkaah

Just been informed that there is a bug in the current Apache 2.4 version of CentOS 7:

This bug prevents removing the SSL protocol SSLv3 (the one targeted by Poodle). Basically, the "All" keyword is ignored in:

Code: Select all

SSLProtocol All -SSLv2 -SSLv3

Code: Select all

SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
I'm told that Apache 2.4.16 solves this bug.

I wonder when this Apache version will be available for CentOS 7? And in the mean time, how does one go about patching this problem, if it's possible (no workaround seems available)?


Re: Apache 2.4.6: SSLProtocol bug and Poodle

Posted: 2015/07/23 07:11:49
by avij
Are you sure it does not work? RH suggests using SSLProtocol All -SSLv2 -SSLv3, so I would assume the instructions would work. Have you tested your server?

Also, I'm not sure if you are reading the bug report correctly. The bug apparently prevents enabling SSLv3 for a virtual host if SSLv3 is globally disabled. You probably don't even want that, but instead you should be disabling SSLv3 everywhere.

If you are using mod_spdy, it may interfere with this configuration.

Re: Apache 2.4.6: SSLProtocol bug and Poodle

Posted: 2015/07/23 08:30:39
by kafkaah

Yes, the server was tested - as a matter of fact at the URL provided - with configuration:

SSLProtocol All -SSLv2 -SSLv3

without success. The protocol is still on and the Poodle vuln. is detected. Seems like the directive is totally ignored.

I agree that the bug seems not to be directly related, but it's one of Apache committers, Yann Ylavic, who pointed it to us after a full description of our problem was given on the Apache users message board (

About mod_spdy: the problem we have with the directive is happening on a clean install of Apache on a brand new CentOS 7, without any other foreign package. Further more the directive is not conflicting with any other (it is the same for the _default_ VirtualHost in ssl.conf and the VirtualHost affected).

As far as we can tell, it is not possible in any way to disable SSLv3 (we have also tried: SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 with the same result).

I did not test the version 2.4.16, but I tend to believe what an Apache committer says about this. Or it just might be another bug...

Re: Apache 2.4.6: SSLProtocol bug and Poodle

Posted: 2015/07/23 09:19:05
by avij
Funny, it works fine here. I don't normally use Apache httpd, but I set up a test server for this purpose. What I did was:
  • install minimal CentOS 7
  • yum update
  • reboot
  • yum install mod_ssl (this pulls in httpd)
  • edit /etc/httpd/conf.d/ssl.conf:
    • SSLProtocol all -SSLv2 -SSLv3
    • add SSLCertificateFile, SSLCertificateKeyFile, SSLCertificateChainFile, comment out the previous entries
  • copy certificates and keys to the server
  • service httpd start
  • firewall-cmd --add-service https
and then I tested the server. With this configuration, SSLLabs says I have TLS 1.0, TLS 1.1 and TLS 1.2 enabled, and SSL2 and SSL3 disabled.

Re: Apache 2.4.6: SSLProtocol bug and Poodle

Posted: 2015/07/24 03:54:27
by kafkaah

Many, many thanks for that test installation. I would only have wished you also had that problem :D . What you did is basically what we did, step by step.

Seems like all the SSL directives are ignored... Not only SSLProtocol but SSLCipherSuite also. So weird.

I'm in touch with the Apache committer: maybe he'll come out with another idea. When we find a solution, we will of course post it.

Thanks again.

Re: Apache 2.4.6: SSLProtocol bug and Poodle

Posted: 2015/07/24 07:14:32
by avij
Perhaps you have some sort of an SSL-enabled load balancer in front of your web server. Or perhaps there's a DNS problem which makes SSLLabs test the wrong server. Try service httpd stop and run the test again. If SSLLabs can still test your server, you have a slight problem.

You can also test your server locally. If you use the -3 option to curl, it will try to use SSLv3. The below error message about server certificate is expected, as the certificate is not issued for 'localhost'.

$ curl -3 https://localhost/
curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).
$ curl https://localhost/
curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.

Re: Apache 2.4.6: SSLProtocol bug and Poodle

Posted: 2015/07/27 06:59:26
by kafkaah
Thanks much for your support.

It seems Apache would not honor any SSLCiphersuite or SSLProtocol directives within any VirtualHost context.

Since, lucky enough, these directives have a common definition for all our VirtualHosts, we simply put them in the general conf file httpd.conf, where they were processed. No more Poodle :-)

It's still a mystery why some SSL directives would be honored in the VirtualHost context and not others.

Our best regards.

Re: Apache 2.4.6: SSLProtocol bug and Poodle

Posted: 2020/06/15 05:17:04
by hema.arun
If the SSLProtocol directive is not taking effect after adding in ssl.conf file, add it in http.conf file. Restart apache. This will disable ssl3, ssl2, tls1 and tls1.1 in Apache 2.4.6 version. This was the fix that worked for me.

Code: Select all

[root@server httpd]# grep SSLProtocol /etc/httpd/conf/httpd.conf
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1