Test and fix SSLv3 on Debian.
Test for SSLv3
First test if your SSL will allow SSLv3.
openssl s_client -connect YOUR_URL_OR_IP:443 -ssl3
if the answer is something like:
routines:SSL3_READ_BYTES:sslv3 alert handshake failure
Everything is fine and SSLv3 is not available. If your Server sends a correct handshake then you have to disable it !
Apache 2
For Apache2 edit “/etc/apache2/mods-available/ssl.conf” and replace
SSLProtocol All -SSLv2
with
SSLProtocol All -SSLv2 -SSLv3
Now restart your Apache Webserver:
service apache2 restart
Nginx
For Nginx Webserver edit “/etc/nginx/nginx.conf” and insert between http {}:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Now restart your Nginx Webserver:
service nginx restart
Postfix
For Postfix Mailserver edit “/etc/postfix/main.cf” and insert this TLS parameter:
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
Now restart your Mailserver:
service postfix restart
Dovecot
Edit “/etc/dovecot/conf.d/10-ssl.conf” (maybe a new file!) to disable SSLv3 in Dovecot and insert:
ssl_protocols = !SSLv2 !SSLv3
And of course restart dovecot:
service dovecot restart
Toby
4 Nov 2014Thank you for this great summary!
Having configuration hints for disabling SSLv3 on all major services in one place saved me lots of time.
In addition for postfix you need to either make TLS mandatory
smtpd_enforce_tls=yes
or disable SSLv3 entirely
smtpd_tls_protocols=!SSLv2,!SSLv3
The first option is generally NOT a good idea since many mailservers do not support encryption.
And if you also want to disable SSLv3 on the SMTP Client side (i.e. when Postfix sends mails) you need to add the equivalent directives starting with smtp_
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
smtp_tls_protocols=!SSLv2,!SSLv3
I can also recommend this page: https://disablessl3.com/
Toby
Felix
7 Nov 2014actually does not work for OpenSSL on Debian Stable, cause this disables TLSv1.0 and TLSv1.1 too. I don’t know what the hack is the problem with the openssl library in Debian but it does not sperately list TLSv1.0 and v1.1. So if you place !SSLv3 in your CipherChain you will only be able to talk to TLSv1.2 capable clients. Trying to connect e.g. With the webkit browser in Android 4.3 will fail, chrome instead works as it seems to bring its own SSL library.
Toby
10 Nov 2014Hmm, I can’t confirm this problem.
Configuring my Apache on Debian Wheezy using
SSLProtocol All -SSLv2 -SSLv3
only disables SSLv3 and I can still connect using TLS 1.0.
Maurice
16 Apr 2015I’am still able to connect to the server using sslv3 with the command “openssl s_client -connect YOUR_URL_OR_IP:443 -ssl3” after I have changed the current setting to “SSLProtocol All -SSLv2 -SSLv3” to my /etc/apache2/mods-available/ssl.conf file on my debian 7.8 box
And I have restarted the apache service.
*** snip **
SSL handshake has read 1472 bytes and written 289 bytes
—
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : ECDHE-RSA-AES256-SHA
… etc
sebastian
17 Apr 2015Hmm you should get:
Secure Renegotiation IS NOT supported
You are using mod_ssl ? List your active modules with:
apache2ctl -M
And please check if you configure your module not in other config files.
Perhaps you find another config with:
grep -r 'SSLProtocol' /etc/apache2
Pingback: Testing SSL Connections with SSLyze, Nmap or OpenSSL » IT Tips and Tricks