Question
How do I disable SSLv3 on my CP server?
Environment
OnApp version 3.x , 4.x , 5.x
Answer
In the OnApp installation the openssl utility is installed, and there are 2 Apache configuration files that have the SSLProtocol directive defined. These are /etc/httpd/conf.d/ssl.conf and /etc/httpd/conf.d/onapp.conf . To disable SSLv3, you will need to explicitly disable SSLv3 by modifying the SSLProtocol directive to include -SSLv3. It will look something like this with the default installation:
in /etc/httpd/conf.d/onapp.conf:
SSLProtocol -ALL +SSLv3 +TLSv1
in /etc/httpd/conf.d/ssl.conf:
SSLProtocol all -SSLv2
These will need to be modified to so that SSLv3 is disabled, so it would look like
in onapp.conf:
SSLProtocol -ALL -SSLv3 +TLSv1
in ssl.conf:
SSLProtocol all -SSLv2 -SSLv3
Once these changes are made and saved, you will want to stop the onapp service:
service onapp stop
and then restart Apache:
/etc/init.d/httpd restart
and then restart onapp:
service onapp start
Once these services are restarted, SSLv3 will be disabled.
Additional Info
More information on the vulnerability can be found at https://access.redhat.com/security/cve/CVE-2014-3566. There is currently no patch available, so disabling SSLv3 is highly recommended.
Comments
1 comment
Since the SSLProtocol line may be missing from your current onapp.conf file, you just need to insert "SSLProtocol -ALL -SSLv3 +TLSv1" in the <VirtualHost \*:443> section, right under the "SSLEngine" line of onapp.conf.
Please sign in to leave a comment.