httpd won't start with updated SSLCipherSuite (POODLE)

Question

I'm trying to update SSL settings for a testing server running CentOs 6.4, but after updating the SSL cipher suites, apache won't start.

Configuration file location: /etc/httpd/conf.d/ssl.conf.

Restart command as root: service httpd restart

Originally (works):

SSLProtocol -all +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP

Updated (doesn't work):

SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!SSLv3:!EXP

I enabled the httpd LogLevel to debug, and below is what I see.

[notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[info] Init: Seeding PRNG with 256 bytes of entropy
[info] Init: Generating temporary RSA private keys (512/1024 bits)
[info] Init: Generating temporary DH parameters (512/1024 bits)
[info] Init: Initializing (virtual) servers for SSL
(stops here)

I checked the virtualhost configuration on this server, and it just has a copy of the production server's configuration file. I'm unsure if it's relevant.

Any idea how to resolve this issue? On a side note, is it necessary to update both SSLProtocol and SSLCipherSuite?

Answer 1

SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!SSLv3:!EXP

Disabling SSLv2 and SSLv3 cipher suites effectively disables all cipher suites required for SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1, because TLS 1.0 and TLS 1.1 did not define any new cipher suits. Since CentOS 6.4 includes only OpenSSL 1.0.0 which does not support TLS1.2 yet, you are effectively left with no ciphers at all.

Please restrict the POODLE fix to SSLProtocol and leave the ciphers alone. The problems with POODLE are not flaws in the ciphers, but in the protocol itself.