Question
How do I disable SSLv3 on my CP server?
Environment
OnApp version 3.x , 4.x , 5.x
Answer
In the OnApp installation the openssl utility is installed and there are 2 apache configuration files that have the SSLProtocol directive defined, these are /etc/httpd/conf.d/ssl.conf and /etc/httpd/conf.d/onapp.conf . To disable SSLv3 you will need to explicitly disable SSLv3 by modifying the SSLProtocol directive to include -SSLv3. It will look something like this with the default installation
in /etc/httpd/conf.d/onapp.conf
SSLProtocol -ALL +SSLv3 +TLSv1
in /etc/httpd/conf.d/ssl.conf
SSLProtocol all -SSLv2
These will need to be modified to so that SSLv3 is disabled so it would look like
in onapp.conf
SSLProtocol -ALL -SSLv3 +TLSv1
in ssl.conf
SSLProtocol all -SSLv2 -SSLv3
Once these changes have been made and saved you will want to stop the onapp service
service onapp stop
and then restart apache
/etc/init.d/httpd restart
and then restart onapp
service onapp start
Once these have been restarted SSLv3 will be disabled.
Additional Info -- More information on the vulnerability can be found at https://access.redhat.com/security/cve/CVE-2014-3566 . There currently is no patch available so disabling SSLv3 is highly recommended.
Comments
1 comment
Since the SSLProtocol line may be missing from your current onapp.conf file, you just need to insert "SSLProtocol -ALL -SSLv3 +TLSv1" in the <VirtualHost \*:443> section, right under the "SSLEngine" line of onapp.conf.
Please sign in to leave a comment.