How to disable sslv3 in apache

Introduction:

ssl 3.0 is considered unsafe because it uses RC4 encryption or CBC mode encryption, and the former is susceptible to bias attacks, while the latter Leads to POODLE attack.

In production environments, this vulnerability is often scanned. The solution is to disable the protocol on the apache server.

(Learning video sharing: Programming video)

1. Environment preparation

Understand SSL and TLS: http is used in the data transmission process. Plain text, in order to solve this problem https came into being, and ssl is an encryption protocol based on https. When SSL was updated to version 3.0, IETF (Internet Engineering Task Force) standardized SSL3.0. The standardized protocol is TLS1.0, so TLS is the standardized product of SSL. TLS currently has 1.0, 1.1, There are three versions of 1.2, and 1.0 is used by default. At this point we have a basic understanding of SSL and TLS.

The server operating environment required for the web server to support TLS1.2:

Apache对应版本应>=2.2.23;
OpenSSL对应版本应>= 1.0.1

View the current server apache version

[root@host-192-168-149-10 conf.d]# httpd -v
Server version: Apache/2.4.29 (Unix)
Server built:   Jan 22 2018 16:51:25

openssl version

[root@host-192-168-149-10 conf.d]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

2. Environment rectification

Test domain names with security vulnerabilities. Access through sslv3 as follows can return information normally. Attackers may use this vulnerability to harm the system.

[root@host-192-168-149-10 conf.d]# curl  --sslv3 https://cs.df230.xyz/test/api/configs/fedch/all
{
  "overdue" : false,
  "success" : true,
  "errorCode" : null,
  "message" : "请求成功",
  "data" : {
    "global" : {
      "copyright" : "功能清单",
}

apache supports SSLv3, TLSv1, TLSv1.1, TLSv1.2 protocols by default

(Note: the ssl function needs to enable LoadModule ssl_module modules/mod_ssl.so in http.conf)

The default configuration of apache is as follows

SSLProtocol All -SSLv2

Enter the directory /usr/local/apache/conf/extra

vi modify ssl.conf as follows to close the sslv3 protocol

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLProtocol TLSv1.2

After the configuration is saved, service httpd restart is required to restart apache to make the configuration take effect

Test sslv3 access again, unable to access

[root@host-192-168-149-10 conf.d]# curl  --sslv3 https://cs.df230.xyz/test/api/configs/fedch/al
curl: (35) SSL connect error

Enter development mode through Google browser F12, you can see the browsing The SSL protocol used by the server to access the current domain name is TLS1.2.

At this point, the vulnerability rectification is completed, so easy!

Related recommendations: apache tutorial

The above is the detailed content of How to disable sslv3 in apache. For more information, please follow other related articles on the PHP Chinese website!