1

I recently installed a SSL Certificate on my server. Then I tried out this tool to test my newly installed SSL certificate on my server and see if there is no problem.

It turned out that it has a problem with SSL 3 protocol, saying that it is insecure because of vulnerability of from POODLE attack.

The page suggests to disable SSL 3 to mitigate it.

So I searched the Internet on how to disable *SSLv3 and SSLv2** on Apache 2.4 server.

I've found several tutorials that says... to disable SSLv3 and SSLv2 on my Ubuntu 14.04 server with Apache 2.4, I have to edit all instances of SSLProtocol all on all files inside /etc/apache2, and change it to SSLProtocol all -SSLv2 -SSLv3.

I've already done the following, but still SSL Lab's SSL Server Test Tool reports the same issue.

Already added this to all of my vhost and all config file that has SSLProtocol...

SSLProtocol all -SSLv2 -SSLv3

About My Server Setup

On my server, I've setup Pound Proxy with Varnish Cache.

I did this because Varnish is not able to do it's thing using HTTPS, and so I setup Pound and use Varnish as it's backend.

The setup is working fine, Varnish is caching on HTTPS.

My SSL certificate was installed properly, I have confirmed that using online tools from Digicert and SSL Labs.

SSL Pem files used with Pound contains info extracted from .key, .crt and CA.pem.

My Server Details

Below are some details about my server. It host a single Wordpress instance on it, it's in production.

Ports

  • Apache - on port 8080
  • Apache ports.conf and sites-available/myvhost.conf -

    <IfModule mod_ssl.c>
        Listen 9443
    
  • Apache

  • Varnish Backend - port 8080
  • Varnish .vcl - DAEMON_OPTS="-a :80"
  • Pound listens on port 443, configured using ListenHTTPS

The server is provisioned using Tuxlite, which I've downloaded from the following page:

https://github.com/Mins/TuxLite

LSB Release output:

Distributor ID: Ubuntu
Description:    Ubuntu 14.04.2 LTS
Release:    14.04
Codename:   trusty

Apache output:

Server version: Apache/2.4.7 (Ubuntu)
Server built:   Mar 10 2015 13:05:59
Server's Module Magic Number: 20120211:27
Server loaded:  APR 1.5.1-dev, APR-UTIL 1.5.3
Compiled using: APR 1.5.1-dev, APR-UTIL 1.5.3
Architecture:   64-bit
Server MPM:     event
  threaded:     yes (fixed thread count)
    forked:     yes (variable process count)
Server compiled with....
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/etc/apache2"
 -D SUEXEC_BIN="/usr/lib/apache2/suexec"
 -D DEFAULT_PIDLOG="/var/run/apache2.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="mime.types"
 -D SERVER_CONFIG_FILE="apache2.conf"

Pound output:

starting...
Version 2.6
  Configuration switches:
    --enable-cert1l
Exiting...

Varnish version:

varnishd (varnish-4.0.3 revision b8c4a34)
Copyright (c) 2006 Verdens Gang AS
Copyright (c) 2006-2014 Varnish Software AS

How could I disable SSLv2 and SSLv3 Protocol on my server?

UPDATE

I've inserted the following entries in my /etc/pound/pound.cfg file:

ListenHTTPS
    ...
    Cert "---"
    Ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:-RC4:EECDH+aRSA+RC4:EECDH+RC4:EDH+aRSA+RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:RC4+SHA"
    ....

And now I got a C Grade in SSL Labs.

SSL 3 Insecure Handshake Simulation Errs for IE6 / XP.

Gary Dapogi
  • 19
  • 1
  • 3
  • possible duplicate of [POODLE Ciphers !SSLv3 = Protocol or cipher suite mismatch](http://serverfault.com/questions/639242/poodle-ciphers-sslv3-protocol-or-cipher-suite-mismatch) – masegaloeh May 13 '15 at 06:38
  • The problem here seems that you haven't described the linkages between Apache, Pound and Varnish. Chances are that Pound is the part that is the component that is 'terminating' the client's SSL session, and so that is where the change must be made. Pound will reverse-proxy to Varnish, which will reverse proxy to Apache. If there is SSL between Pound and Varnish, or Varnish and Apache, those are separate SSL connections and completely separate from the User to Pound connection. – Cameron Kerr May 13 '15 at 10:02
  • Please see another question in my earlier comment, if it doesn't help, please post full configuration of `/etc/pound.conf`. Your apache and Varnish configuration isn't relevant here as ssllabs only interacted with Pound. – masegaloeh May 14 '15 at 08:44
  • @masegaloeh - I'm on Ubuntu 14.04, so my Pound config file is located at `/etc/pound/pound.cfg`. I also commented on Ahmed I.'s answer below, it was the same answer as alexus gave on his post. Putting `DisableSSLv2 and v3` in my `/etc/pound/pound.cfg` before `Cipher` directive didn't help, it throws error saying `unknown directive`. – Gary Dapogi May 15 '15 at 05:08

1 Answers1

1

Seems like your running Pound with SSL on port 443.

To fix this issue, Have following lines in /etc/pound.cfg and restart pound and test

DisableSSLv3 DisableSSLv2

serverliving.com
  • 875
  • 6
  • 15