Configuring Apache to Disable SSL v 3.0
The Apache HTTP Server is configured by placing directives in plain text configuration files. The main configuration file is usually called
httpd.conf, and it is easy to update the Apache web server to disable SSLv3 (and thus protect your websites from the POODLE vulnerability).
The exact method depends on which version of Apache you are using, but here are some highlights:
For the latest versions of Apache (post-2.2.22) you would simply specify all protocols except SSLv2 and SSLv3:
SSLProtocol All -SSLv2 -SSLv3
For version 2.2.22 of Apache and earlier, please use the following format to only allow the TLS protocol. In this situation, TLSv1 is used as a wildcard to mean all TLS protocols:
For Apache servers using the
mod_ssl module, edit the Apache configuration file commonly located at
/etc/httpd/conf.d/nss.conf to only allow TLS 1.0 and above:
NSSprotocol TLSv1.0, TLSv1.1
Apache and Virtual Hosts
Apache can run more than one web site on a single server, either “IP-based” (so each site uses a different IP address) or “name-based” (allowing multiple names to share an IP address). These “virtual host” instances each have their own “stanza” in
httpd.conf to manage their operations. Administrators will need to include the settings above in each virtual host stanza to disable older protocols server-wide.
For more information on configuring the Apache HTTP Server, the Apache Software Foundation has excellent documentation online.