httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hébergement web ArbreBinaire.com <hebergem...@arbrebinaire.com>
Subject [users@httpd] Apache 2.4: SSLProtocol directive not taking effect
Date Wed, 22 Jul 2015 21:14:15 GMT
Hi,

We've been stumped by a configuration problem of our Apache 2.4 server, on
CentOS 7.

Our goal is to prevent the Poodle vulnerability by removing the SSLv3
protocol.

But it seems this directive is not taking any effect:

SSLProtocol All -SSLv3

It's located within a VirtualHost context (in
/etc/httpd/conf.d/example.com.conf):

<VirtualHost 123.456.789.01:443>

SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:$
SSLHonorCipherOrder on

And the default (in  /etc/httpd/conf.d/ssl.conf)

<VirtualHost _default_:443>

SSLProtocol All -SSLv3
SSLCipherSuite
ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!$
SSLHonorCipherOrder on

We have of course restarted Apache, but tests show that SSLv3 is still
enabled.

I'm certain this is a simple problem, but the logs are silent about this
(at LogLevel debug), and we are not able to solve it.

Thanks,

François

Mime
View raw message