• 11
name

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191

Backtrace:

File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

name Punditsdkoslkdosdkoskdo

Unable to disable SSLv3 in Apache for POODLE

One of my client wanted me to upgrade openssl and Apache on his server because he want to receive an A from SSLLabs. I went ahead and upgraded to Apache 2.4.18 and openssl to version 1.0.2e. I then modified Apache's SSL configuration to match the following:

# SSL Protocols/Ciphers
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256::kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
SSLCompression off

I ran an SSL Test from SSL Labs and I still receive the following warning:

This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.

In the protocols list, it says YES to SSL 3 even if the above statement says it should be disabled.

I've tried many ciphers combinisations by searching on the web and I always gets the same result. I've also searched in any *.conf file for an SSL configuration but there's none except my SSL file above.

The website's URL: https://orders.expotools.biz

SSL Labs: https://www.ssllabs.com/ssltest/analyze.html?d=orders.expotools.biz

      • 1
    • Are you sure this bit of configuration actually gets applied? Apache has non-intuitive (at first glance) rules for SSL configuration. That's because before the TLS implemented support for SNI, all SSL configuration was essentially global (no matter whether you've defined it inside an virtual host section), and, IIRC, the first one found by Apache winned with the rest being ignored. See this for more into.
      • 2
    • I'd start with figuring out which vhost gets loaded first, and making sure its configuration defines sensible defaults for SSL/TLS.
      • 1
    • There's only 1 vhost with SSL. After doing a grep search, only this file on the server has the wording "SSLProtocol" or "SSLCipherSuite". If I change the configuration at this point, the results are different. I'll keep looking.

In order to make it work, I had to recompile openssl with the following command ./config --prefix=/usr no-threads shared no-ssl3. I also had to recompile apache after to enable the changes. Work like a charm.

  • 0
Reply Report

Trending Tags