Hi All, We have found that in order to fully disable SSLv3 on a given server it is necessary to add the SSLProtocol line below to the vhost file for every site that has SSL enabled including ispconfig.vhost for the ispconfig interface itself. This is the same SSL configuration statement being recommended all over the place in order to disable SSLv3: SSLProtocol All -SSLv2 -SSLv3 This can be done manually or through ispconfig itself such as via the apache directives under the options tab of a given site. Question is there any plan to do this more effectively so that this does not have to be done manually on each and every vhost file? Am happy to be proven wrong but based on testing changing only the ssl.conf file is not sufficient to disable SSLv3. thanks
Normally that should work as it overrides the global ssl settings and as long as you dont define a different SSLProtocol setting inside the vhost, then the vhost should use this setting. If this wont work on your server, then you should scan for the existing of SSLProtocol in all apache config files as there might be a second definition on your server that overrides the ssl settings file. The local setting of SSLProtocol in each ssl vhost is already part of ISPConfig 3.0.5.4p5, so there is no manual editing required for that as well.
Well on a vanilla installation of ispconfig3 on Centos 6.5, after changing ssl.conf all the sites on that server with SSL enabled as well as the ispconfig interface itself still had SSLv3 enabled and did not pass the various online poodle SSL checkers, they all said SSLv3 still enabled. Using grep -R I verified that the SSLProtocol statement was not anywhere else in /etc/httpd/ or any subdir other than in the ssl.conf file. Any comments? Thanks
I just checked another server running the same OS and ispconfig 3.0.5.4p3. On this server, changing ssl.conf did disable SSLv3 on the configured sites using SSL but not on the ispconfig interface itself. For ispconfig itself I had to modify the ispconfig.vhost file. The prior server I mentioned is running ispconfig version 3.0.5.2, not sure if it matters. Hope this info is useful.
The ispconfig vhost is a normal apache vhost, there is nothing specific with it. S as I explained above, there must be an issue with apache if a global setting is not applied to all vhosts that dont override that setting.