Disable SSL 3.0 in Apache

Configuring Apache to Disable SSL v 3.0

The Apache HTTP Server is configured by placing directives in plain text configuration files. The main configuration file is usually called httpd.conf, and it is easy to update the Apache web server to disable SSLv3 (and thus protect your websites from the POODLE vulnerability).

The exact method depends on which version of Apache you are using, but here are some highlights:

For the latest versions of Apache (post-2.2.22)  you would simply specify all protocols except SSLv2 and SSLv3:

SSLProtocol All -SSLv2 -SSLv3

For version 2.2.22 of Apache and earlier, please use the following format to only allow the TLS protocol.  In this situation, TLSv1 is used as a wildcard to mean all TLS protocols:

SSLProtocol TLSv1

For Apache servers using the mod_ssl module, edit the Apache configuration file commonly located at /etc/httpd/conf.d/nss.conf to only allow TLS 1.0 and above:

NSSprotocol TLSv1.0, TLSv1.1

 


Apache and Virtual Hosts

Apache can run more than one web site on a single server, either “IP-based” (so each site uses a different IP address) or “name-based” (allowing multiple names to share an IP address). These “virtual host” instances each have their own “stanza” in httpd.conf to manage their operations. Administrators will need to include the settings above in each virtual host stanza to disable older protocols server-wide.

Example: On a hypothetical server running ten virtual hosts, nine have the desired configuration in httpd.conf forcing use of safer protocols, while one has a stanza allowing use of SSLv3. All ten sites would allow SSLv3 (and be vulnerable to POODLE and similar attacks).

For more information on configuring the Apache HTTP Server, the Apache Software Foundation has excellent documentation online.