How to disable SSLv3 in Apache?
I had the same problem...
You have to include SSLProtocol all -SSLv2 -SSLv3
within every VirtualHost stanza in httpd.conf
The VirtualHost stanzas are generally towards the end of the httpd.conf file. So for example:
...
...
<VirtualHost your.website.example.com:443>
DocumentRoot /var/www/directory
ServerName your.website.example.com
...
SSLEngine on
...
SSLProtocol all -SSLv2 -SSLv3
...
</VirtualHost>
Also check ssl.conf or httpd-ssl.conf or similar because they may be set there, not necessarily in httpd.conf
I had the same problem on Ubuntu 14.04. After reading this, I edited the section "SSLProtocol" in /etc/apache2/mods-available/ssl.conf
.
- from:
SSLProtocol all
- to:
SSLProtocol all -SSLv2 -SSLv3 -TLSV1
But it didn't work. So I edited the following section too "SSLCipherSuite" in
/etc/apache2/mods-available/ssl.conf
.
- from:
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
- to:
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SSLv3:!SSLv2:!TLSv1
And now it now works for me.
By the way, the Cipher Suites are not affected by POODLE, only the protocol -- but most browsers are okay with a disabled SSLv3 Cipher Suite.
Don't use this for a Mailserver! Or you will (maybe) face the problem of not being able to fetch your Mails on some devices.
For Ubuntu 10.04
To disable SSLv3 on all active vhosts you need the option in
/etc/apache2/mods-available/ssl.conf :
SSLProtocol all -SSLv2 -SSLv3