[users@httpd] Apache 2.4: SSLProtocol directive not taking effect

["Hébergement web ArbreBinaire.com" <he...@arbrebinaire.com>]

Hi,

We've been stumped by a configuration problem of our Apache 2.4 server, on
CentOS 7.

Our goal is to prevent the Poodle vulnerability by removing the SSLv3
protocol.

But it seems this directive is not taking any effect:

SSLProtocol All -SSLv3

It's located within a VirtualHost context (in
/etc/httpd/conf.d/example.com.conf):

<VirtualHost 123.456.789.01:443>

SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:$
SSLHonorCipherOrder on

And the default (in  /etc/httpd/conf.d/ssl.conf)

<VirtualHost _default_:443>

SSLProtocol All -SSLv3
SSLCipherSuite
ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!$
SSLHonorCipherOrder on

We have of course restarted Apache, but tests show that SSLv3 is still
enabled.

I'm certain this is a simple problem, but the logs are silent about this
(at LogLevel debug), and we are not able to solve it.

Thanks,

François

Re: [users@httpd] Apache 2.4: SSLProtocol directive not taking effect

["Hébergement web ArbreBinaire.com" <he...@arbrebinaire.com>]

Thanks much, that has to be it.

Regards,

François

L'équipe Arbre binaire, Hébergement web
hebergement@arbrebinaire.com


Arbre binaire Hébergement web <http://hebergement.arbrebinaire.com/>

2015-07-22 18:22 GMT-04:00 Yann Ylavic <yl...@gmail.com>:

> On Wed, Jul 22, 2015 at 11:14 PM, Hébergement web ArbreBinaire.com
> <he...@arbrebinaire.com> wrote:
> > Hi,
> >
> > We've been stumped by a configuration problem of our Apache 2.4 server,
> on
> > CentOS 7.
> >
> > Our goal is to prevent the Poodle vulnerability by removing the SSLv3
> > protocol.
> >
> > But it seems this directive is not taking any effect:
>
> You may be hitting bug [1], which has been fixed in latest 2.4.16 and
> 2.2.31.
>
> Regards,
> Yann.
>
> [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=57100
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Re: [users@httpd] Apache 2.4: SSLProtocol directive not taking effect

["Hébergement web ArbreBinaire.com" <he...@arbrebinaire.com>]

Hi,

> You may be hitting bug [1], which has been fixed in latest 2.4.16 and
2.2.31.

Not sure anymore that the bug indicated is the one affecting our Apache
installation.  Seems like the SSLCipherSuite directive is also simply
ignored.

This is very peculiar, since any and all directives in a VirtualHost
context is active, except for the ones pertaining to SSL.

What could be a common cause of such behaviour?  We just don't know what to
do...

Regards,

François

>
>

Re: [users@httpd] Apache 2.4: SSLProtocol directive not taking effect

[Yann Ylavic <yl...@gmail.com>]

On Wed, Jul 22, 2015 at 11:14 PM, Hébergement web ArbreBinaire.com
<he...@arbrebinaire.com> wrote:
> Hi,
>
> We've been stumped by a configuration problem of our Apache 2.4 server, on
> CentOS 7.
>
> Our goal is to prevent the Poodle vulnerability by removing the SSLv3
> protocol.
>
> But it seems this directive is not taking any effect:

You may be hitting bug [1], which has been fixed in latest 2.4.16 and 2.2.31.

Regards,
Yann.

[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=57100

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org