SSLv3 must be disabled per vhost to fully mitigate poodle

Discussion in 'ISPConfig 3 Priority Support' started by ronee, Nov 19, 2014.

  1. ronee

    ronee Member HowtoForge Supporter

    Hi All,

    We have found that in order to fully disable SSLv3 on a given server it is necessary to add the SSLProtocol line below to the vhost file for every site that has SSL enabled including ispconfig.vhost for the ispconfig interface itself.

    This is the same SSL configuration statement being recommended all over the place in order to disable SSLv3:

    SSLProtocol All -SSLv2 -SSLv3

    This can be done manually or through ispconfig itself such as via the apache directives under the options tab of a given site.

    Question is there any plan to do this more effectively so that this does not have to be done manually on each and every vhost file?

    Am happy to be proven wrong but based on testing changing only the ssl.conf file is not sufficient to disable SSLv3.

  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Normally that should work as it overrides the global ssl settings and as long as you dont define a different SSLProtocol setting inside the vhost, then the vhost should use this setting. If this wont work on your server, then you should scan for the existing of SSLProtocol in all apache config files as there might be a second definition on your server that overrides the ssl settings file.

    The local setting of SSLProtocol in each ssl vhost is already part of ISPConfig, so there is no manual editing required for that as well.
  3. ronee

    ronee Member HowtoForge Supporter

    Well on a vanilla installation of ispconfig3 on Centos 6.5, after changing ssl.conf all the sites on that server with SSL enabled as well as the ispconfig interface itself still had SSLv3 enabled and did not pass the various online poodle SSL checkers, they all said SSLv3 still enabled.

    Using grep -R I verified that the SSLProtocol statement was not anywhere else in /etc/httpd/ or any subdir other than in the ssl.conf file.

    Any comments?

  4. till

    till Super Moderator Staff Member ISPConfig Developer

    I guess this can only be answered by the apache developers, maybe its even a bug in apache.
  5. ronee

    ronee Member HowtoForge Supporter

    I just checked another server running the same OS and ispconfig

    On this server, changing ssl.conf did disable SSLv3 on the configured sites using SSL but not on the ispconfig interface itself. For ispconfig itself I had to modify the ispconfig.vhost file.

    The prior server I mentioned is running ispconfig version, not sure if it matters.

    Hope this info is useful.
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    The ispconfig vhost is a normal apache vhost, there is nothing specific with it. S as I explained above, there must be an issue with apache if a global setting is not applied to all vhosts that dont override that setting.
  7. ronee

    ronee Member HowtoForge Supporter

    Understood, thanks Till.

Share This Page