chronolith
asked on
Cannot impact SSL config in apache
I have a virtual Debian web server running apache 2.2.22 with an ssl enabled vhost. I am trying to disable SSLv3 and no matter what I do there seems to be no change when I rescan the website with Comodo or SSL labs. I have tried editing:
/etc/apache2/mods-availabl e/ssl.conf
/etc/apache2/sites-availab le/default -ssl
... by either adding or changing the existing parameters for:
SSLCipherSuite
SSLHonorCipherOrder on
SSLProtocol all -SSLv3 -SSLv2
And after every change I run service apache2 restart
I also grep'd the /etc/apache2 directory for those ssl variables thinking they were coming from somewhere else but they are not.
Ultimately I am trying to switch the site over to TLS and dump SSLv3 but I just can't make an impact...
/etc/apache2/mods-availabl
/etc/apache2/sites-availab
... by either adding or changing the existing parameters for:
SSLCipherSuite
SSLHonorCipherOrder on
SSLProtocol all -SSLv3 -SSLv2
And after every change I run service apache2 restart
I also grep'd the /etc/apache2 directory for those ssl variables thinking they were coming from somewhere else but they are not.
Ultimately I am trying to switch the site over to TLS and dump SSLv3 but I just can't make an impact...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It's a fairly vanilla setup. I have two virtual hosts that are being read, one for port 80 and one for port 443.
There are (were) only two files specifying SSL params like SSLProtocol. I read somewhere that in apache 2.2 you had to add the values to the vhost config file additionally. I tried adding those same params to the 443 virtual host config but they had no impact so I removed them. The other is /etc/apache2/mods-availabl e/ssl.conf . Currently that is the only file with SSLprotocol specified. Any changes to this file also have no impact on scans, at least in terms of the protocol.
I do not have a global.conf file at the root of apache2. There is a apache2.conf file. I tried adding the lines there, but also no change. They were removed.
I'm not comfortable posting publicly a link to the server that is clearly still vulnerable. I will be happy to share it individually though.
Thanks very much for your insights so far.
There are (were) only two files specifying SSL params like SSLProtocol. I read somewhere that in apache 2.2 you had to add the values to the vhost config file additionally. I tried adding those same params to the 443 virtual host config but they had no impact so I removed them. The other is /etc/apache2/mods-availabl
I do not have a global.conf file at the root of apache2. There is a apache2.conf file. I tried adding the lines there, but also no change. They were removed.
I'm not comfortable posting publicly a link to the server that is clearly still vulnerable. I will be happy to share it individually though.
Thanks very much for your insights so far.
ASKER
OpenSSL version is 1.0.1t-1+deb7u3
ASKER
Possible culprit: The Forefront TMG firewall sitting in front of this web server. I have added registry values to disable SSLv3 but won't be able to reboot it until off hours.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Turns out it was mostly about the ForeFront TMG firewall. I did have to line up the protocols and ciphers between my apache server and ForeFront but everything fell into place at that point.
In case anyone else comes along needing similar help please have a look at these articles:
Disabling protocols in ForeFront via regedit: https://www.fastvue.co/tmgreporter/blog/how-to-enable-and-disable-ssl-tls-versions-on-forefront-tmg
Enforcing cipher suite order: https://tmgblog.richardhicks.com/tag/cipher-suites/
Richard Hicks' blog is a good resource for this.
Thanks all.
In case anyone else comes along needing similar help please have a look at these articles:
Disabling protocols in ForeFront via regedit: https://www.fastvue.co/tmgreporter/blog/how-to-enable-and-disable-ssl-tls-versions-on-forefront-tmg
Enforcing cipher suite order: https://tmgblog.richardhicks.com/tag/cipher-suites/
Richard Hicks' blog is a good resource for this.
Thanks all.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
For author advice
For consideration
ASKER
- inotifywait -mrq /etc/apache2 does confirm that it is in fact reading ssl.conf
- apachectl -V shows identical to the example posted by Steve Bink for HTTPD_ROOT and SERVER_CONFIG_FILE
- Stop and Start as opposed to restart brought no changes
I intend to upgrade the distribution from Wheezy to Jessie once the new year arrives. Jessie's repositories standardize on Apache 2.4. I just can't do anything that drastic right now while the holiday season is in the swing.
Putting all of the special configs in a separate include file is of course great advice and I intend to do that from now on, but all of my research to disable SSLv3 has people blithely editing the files directly and I followed suit.
I do know it is properly reading ssl.conf because I made a mistake by commenting out one of the SSLCipherSuite lines and the site failed saying that no ciphers were available. Can there be arguments between the ciphers line and the protocols line?
Currently I have the SSLProtocol line calling only for TLSv1 but all of the external scans continue to report the SSLv3 is still supported...