You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Sailaja Gadireddy <sa...@gmail.com> on 2015/03/12 10:56:32 UTC

[users@httpd] How to disable SSLV3 protocol at Apache

Hello Team,

As SSLv3 is having POODLE attack, client has initiated to disable and
upgrade it to TLSV1.

Please do let me know how do we do that and how to check on impact on
application after disabling it.

How we can check from client side if they are having SSLV3 or TLSV1. What
are the pre-requisites for disabling SSLV3?

Please do let me know for further details.

Thanks & Regards,
Sailaja.

RE: [users@httpd] How to disable SSLV3 protocol at Apache

Posted by Theo Belder <T....@trends.nl>.

You can check your site at Qualys SSL labs: https://www.ssllabs.com/ssltest/analyze.html

After analyzing your site you can see for which attacks your site is vulnerable or which weakness is applicable to your site or server certificate.

 

Go check https://wiki.mozilla.org/Security/Server_Side_TLS for the securest configuration for all different types of webservers.

 

For compatibility you can choose your appropriate Ciphersuite (from Modern to Old).

 

 

From: Sailaja Gadireddy [mailto:sailaja.gadireddy@gmail.com] 
Sent: donderdag 12 maart 2015 10:57
To: users@httpd.apache.org
Subject: [users@httpd] How to disable SSLV3 protocol at Apache

 

Hello Team,

As SSLv3 is having POODLE attack, client has initiated to disable and upgrade it to TLSV1.

Please do let me know how do we do that and how to check on impact on application after disabling it.

How we can check from client side if they are having SSLV3 or TLSV1. What are the pre-requisites for disabling SSLV3?

Please do let me know for further details.

Thanks & Regards,

Sailaja.

RE: [users@httpd] How to disable SSLV3 protocol at Apache

Posted by ol...@bt.com.

Hi Sailaja,

Pre-deployment Checks
1.         $ openssl s_client -ssl3 -connect <host>:<ssl_port> -state –debug

E.g. openssl s_client -ssl3 -connect 10.75.112.16:443 -state –debug

2.         Expected output –
. . . .
. . .
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 write client key exchange A
write to 0008D528 [0009CC48] (6 bytes => 6 (0x6))
0000 - 14 03 00 00 01 01                                 ......
SSL_connect:SSLv3 write change cipher spec A
write to 0008D528 [0009CC48] (69 bytes => 69 (0x45))
0000 - 16 03 00 00 40 0b df 0a-6a fe 61 00 67 09 4d 2c   ....@...j.a.g.M,
0010 - 97 dd 48 8b 23 39 62 9e-f8 bb f3 3b fa d9 94 2b   ..H.#9b....;...+
0020 - c4 0c f4 cf 39 79 5d ad-ba fe 76 89 41 14 6e 53   ....9y]...v.A.nS
0030 - e8 4e 3c dc a8 07 4b be-5f bd bf ae d2 54 2e ea   .N<...K._....T..
0040 - c0 ab f5 33 77                                    ...3w
            . . . . .
. . . . .
 SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
read from 0008D528 [00092AD0] (5 bytes => 5 (0x5))
. . . . .
. . . . .

This  indicates that the SSLv3 connection was successful & hence the system is vulnerable.

Deployment tasks

1.            Edit $OHS_HOME/conf/ssl.conf
Add SSLProtocol All -SSLv2 -SSLv3 in between SSLEngine directive & SSLCipherSuite directive. This will ensure that the protocol will be other that SSLv2 & SSLv3 and hence it will be  TLS.
Save the file
2.   Restart OAS.
$ cd $OAS_HOME/bin
$ ./opmnctl  stopall
$ ./opmnctl  startall

Post-deployment Checks
1.         openssl s_client -ssl3 -connect <host>:<ssl_port> -state –debug
E.g. openssl s_client -ssl3 -connect 10.75.112.16:443 -state –debug
2.         Expected output-
. . .
. .
SSL_connect:SSLv3 write client hello A
read from 0008D528 [00092AD0] (5 bytes => 5 (0x5))
0000 - 15 03 01 00 02                                    .....
write to 0008D528 [0009CC48] (7 bytes => 7 (0x7))
0000 - 15 03 01 00 02 02 28                              ......(
SSL3 alert write:fatal:handshake failure
SSL_connect:error in SSLv3 read server hello A
1021:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:../../../../common/openssl/ssl/s3_pkt.c:283: -

This indicate that the SSLv3 connection was unsuccessful & hence the system is not vulnerable.

Assuming – you have Oracle Application Server and Oracle HTTP Server. Similar steps will work for Weblogic as well.

Thanks,
Olive

From: Sailaja Gadireddy [mailto:sailaja.gadireddy@gmail.com]
Sent: 12 March 2015 15:27
To: users@httpd.apache.org
Subject: [users@httpd] How to disable SSLV3 protocol at Apache

Hello Team,
As SSLv3 is having POODLE attack, client has initiated to disable and upgrade it to TLSV1.
Please do let me know how do we do that and how to check on impact on application after disabling it.
How we can check from client side if they are having SSLV3 or TLSV1. What are the pre-requisites for disabling SSLV3?
Please do let me know for further details.
Thanks & Regards,
Sailaja.