I recently installed a SSL Certificate on my server. Then I tried out this tool to test my newly installed SSL certificate on my server and see if there is no problem.
It turned out that it has a problem with SSL 3 protocol, saying that it is insecure because of vulnerability of from POODLE attack.
The page suggests to disable SSL 3 to mitigate it.
So I searched the Internet on how to disable *SSLv3 and SSLv2** on Apache 2.4 server.
I've found several tutorials that says... to disable SSLv3 and SSLv2 on my Ubuntu 14.04 server with Apache 2.4, I have to edit all instances of SSLProtocol all
on all files inside /etc/apache2
, and change it to SSLProtocol all -SSLv2 -SSLv3
.
I've already done the following, but still SSL Lab's SSL Server Test Tool reports the same issue.
Already added this to all of my vhost and all config file that has SSLProtocol
...
SSLProtocol all -SSLv2 -SSLv3
About My Server Setup
On my server, I've setup Pound Proxy with Varnish Cache.
I did this because Varnish is not able to do it's thing using HTTPS, and so I setup Pound and use Varnish as it's backend.
The setup is working fine, Varnish is caching on HTTPS.
My SSL certificate was installed properly, I have confirmed that using online tools from Digicert and SSL Labs.
SSL Pem files used with Pound contains info extracted from .key
, .crt
and CA.pem
.
My Server Details
Below are some details about my server. It host a single Wordpress instance on it, it's in production.
Ports
- Apache - on port 8080
Apache
ports.conf
andsites-available/myvhost.conf
-<IfModule mod_ssl.c> Listen 9443
Apache
- Varnish Backend - port 8080
- Varnish
.vcl
- DAEMON_OPTS="-a :80" - Pound listens on port 443, configured using
ListenHTTPS
The server is provisioned using Tuxlite, which I've downloaded from the following page:
https://github.com/Mins/TuxLite
LSB Release output:
Distributor ID: Ubuntu
Description: Ubuntu 14.04.2 LTS
Release: 14.04
Codename: trusty
Apache output:
Server version: Apache/2.4.7 (Ubuntu)
Server built: Mar 10 2015 13:05:59
Server's Module Magic Number: 20120211:27
Server loaded: APR 1.5.1-dev, APR-UTIL 1.5.3
Compiled using: APR 1.5.1-dev, APR-UTIL 1.5.3
Architecture: 64-bit
Server MPM: event
threaded: yes (fixed thread count)
forked: yes (variable process count)
Server compiled with....
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=256
-D HTTPD_ROOT="/etc/apache2"
-D SUEXEC_BIN="/usr/lib/apache2/suexec"
-D DEFAULT_PIDLOG="/var/run/apache2.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="mime.types"
-D SERVER_CONFIG_FILE="apache2.conf"
Pound output:
starting...
Version 2.6
Configuration switches:
--enable-cert1l
Exiting...
Varnish version:
varnishd (varnish-4.0.3 revision b8c4a34)
Copyright (c) 2006 Verdens Gang AS
Copyright (c) 2006-2014 Varnish Software AS
How could I disable SSLv2 and SSLv3 Protocol on my server?
UPDATE
I've inserted the following entries in my /etc/pound/pound.cfg
file:
ListenHTTPS
...
Cert "---"
Ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:-RC4:EECDH+aRSA+RC4:EECDH+RC4:EDH+aRSA+RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:RC4+SHA"
....
And now I got a C Grade in SSL Labs.
SSL 3 Insecure Handshake Simulation Errs for IE6 / XP.