How to disable SSLv3 in Apache

The original is from WeChat official account. ： Beauty of operation and maintenance , An official account of a rising posture. ！

Preface ：SSLv3 Loophole （CVE-2014-3566）,SSL3.0 Version is considered unsafe . It USES RC4 Encryption or CBC Mode encryption , The former is vulnerable to deviation attacks , The latter can lead to POODLE attack , In the production environment , This vulnerability is often scanned , For this vulnerability , need apache Server side deactivation SSLv3 agreement .

One 、 Environmental preparation

understand SSL and TLS：http In the process of data transmission, plaintext is used , To solve this problem https emerge as the times require ,ssl Is based on https Encryption protocol for . When ssl Update to 3.0 After version ,IETF（ Internet Engineering Task Force ） Yes ssl3.0 Standardized , The standardized agreement is TLS1.0, So TLS yes SSL The product of standardization ,TLS The current is 1.0 ,1.1,1.2 Three versions , By default 1.0, Here we are ssl and TLS With a basic understanding .

• web Server support TLS1.2 The required server running environment :

Apache The corresponding version should >=2.2.23;
OpenSSL The corresponding version should >= 1.0.1

• View the current server apache edition

[[email protected] conf.d]# httpd -v
Server version: Apache/2.4.29 (Unix)
Server built:   Jan 22 2018 16:51:25

• openssl edition

[[email protected] conf.d]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

Two 、 Environmental rectification

Test domain names with security vulnerabilities , As follows sslv3 Access can return information normally , An attacker may use this vulnerability to compromise the system .

[[email protected] conf.d]# curl  --sslv3 https://cs.df230.xyz/test/api/configs/fedch/all
{
  "overdue" : false,
  "success" : true,
  "errorCode" : null,
  "message" : " The request is successful ",
  "data" : {
    "global" : {
      "copyright" : " Feature list ",
}

apache The default support SSLv3,TLSv1,TLSv1.1,TLSv1.2 agreement

( notes ：ssl The function needs to be in http.conf Enable LoadModule ssl_module modules/mod_ssl.so)

apache The default configuration is as follows

SSLProtocol All -SSLv2

Entry directory /usr/local/apache/conf/extra

vi modify ssl.conf Follow the configuration below , The purpose is to close sslv3 agreement

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLProtocol TLSv1.2

After the configuration is saved , need service httpd restart restart apache Make configuration effective

The test again sslv3 visit , cannot access

[[email protected] conf.d]# curl  --sslv3 https://cs.df230.xyz/test/api/configs/fedch/al
curl: (35) SSL connect error

adopt google browser F12 Enter development mode , You can see how the browser accesses the current domain name ssl Agreement for TLS1.2.

thus , Vulnerability rectification completed ,so easy！

More articles , Please follow the WeChat public account “ Beauty of operation and maintenance ”！