How to disable apache SSLv3 protocol for your web server security
With most businesses moving online, internet security has become a crucial aspect. Vulnerabilities are being exposed so constantly in the web world that any day you can wake up to a new exploit or a hack.
To be on the safer side and to protect the data and transactions from attackers, all server owners have secure protocols such as SSL or TLS installed in their servers.
SSL is a protocol that is used to securely transfer data in the internet. The SSL versions, when enabled in both the server and the client such as web browsers, help establish secure connection to transmit confidential data via web.
But if the secure protocol that you use for the data transmission itself is vulnerable, chances are that the hackers can exploit it and sniff out your confidential data.
What is SSLv3? Why is it unsafe?
SSL has released two protocol versions namely SSLv2 and SSLv3. Though SSLv2 was widely used initially, it was found insecure later on. SSLv2 was followed by SSLv3, which improved upon the former by adding stronger ciphers and certificate authentication.
But SSLv3 was based on a weaker key derivation process, which makes it insecure and unsafe. As a result, it is important to disable SSLv3 and replace it with secure TLS protocol.
[ A single downtime can affect your business. See how our 24/7 expert team helps you deliver zero downtime services. ]
Why is SSLv3 dangerous?
In October 2014, Poodle attack, that exploits the security issues in SSLv3 protocol design, was revealed. This SSLv3 vulnerability allowed an attacker to easily track the contents transferred in SSLv3 connections.
Since most web browsers support and use SSLv3 protocol, this was a wide-spread attack and caused panic among internet users. The security of all confidential transactions went for a toss.
The solution for this vulnerability is to disable SSLv3 version from the web server and enable TLS encryption, which is considered more secure than SSL.
At Bobcares, our 24/7 Security expert team immediately alerted us about this vulnerability and this helped us to secure our customers’ servers pro-actively to avoid hacks by disabling SSLv3 in the servers.
[ Take care of your customers, before your competitors do. Get world-class support specialists to delight your customers. ]
How to disable SSLv3 in webservers
While online transmissions happen through all common internet services such as email, web, etc., it is through the webservers that the maximum data transfer takes place.
Today we’ll see how to disable SSLv3 protocol in the commonly used web servers – Apache, NginX & IIS.
How to disable SSLv3 in Apache
If you are using apache web server, here is how you can disable SSLv3 protocol:
- Edit the apache SSL configuration file at ‘ /etc/apache2/mods-available/ssl.conf ‘ using a text editor such as vi.
- Go to the section of SSL directives and edit the line
SSLProtocol allto SSLProtocol All -SSLv2 -SSLv3
- Add the CIPHER text:
SSLHonorCipherOrder On SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
4. Save the file, test the new configuration and restart the apache service.
You can also do this security update from the WHM of the webserver at the ‘Apache Configuration’ screen -> Global Configuration -> SSL/TLS Protocols section.