Re: [users@httpd] Apache 2.4: SSLProtocol directive not taking effect
Hi, You may be hitting bug [1], which has been fixed in latest 2.4.16 and 2.2.31. Not sure anymore that the bug indicated is the one affecting our Apache installation. Seems like the SSLCipherSuite directive is also simply ignored. This is very peculiar, since any and all directives in a VirtualHost context is active, except for the ones pertaining to SSL. What could be a common cause of such behaviour? We just don't know what to do... Regards, François
[users@httpd] Apache 2.4: SSLProtocol directive not taking effect
Hi, We've been stumped by a configuration problem of our Apache 2.4 server, on CentOS 7. Our goal is to prevent the Poodle vulnerability by removing the SSLv3 protocol. But it seems this directive is not taking any effect: SSLProtocol All -SSLv3 It's located within a VirtualHost context (in /etc/httpd/conf.d/example.com.conf): VirtualHost 123.456.789.01:443 SSLProtocol All -SSLv2 -SSLv3 SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:$ SSLHonorCipherOrder on And the default (in /etc/httpd/conf.d/ssl.conf) VirtualHost _default_:443 SSLProtocol All -SSLv3 SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!$ SSLHonorCipherOrder on We have of course restarted Apache, but tests show that SSLv3 is still enabled. I'm certain this is a simple problem, but the logs are silent about this (at LogLevel debug), and we are not able to solve it. Thanks, François
Re: [users@httpd] Apache 2.4: SSLProtocol directive not taking effect
On Wed, Jul 22, 2015 at 11:14 PM, Hébergement web ArbreBinaire.com hebergem...@arbrebinaire.com wrote: Hi, We've been stumped by a configuration problem of our Apache 2.4 server, on CentOS 7. Our goal is to prevent the Poodle vulnerability by removing the SSLv3 protocol. But it seems this directive is not taking any effect: You may be hitting bug [1], which has been fixed in latest 2.4.16 and 2.2.31. Regards, Yann. [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=57100 - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache 2.4: SSLProtocol directive not taking effect
Thanks much, that has to be it. Regards, François L'équipe Arbre binaire, Hébergement web hebergem...@arbrebinaire.com Arbre binaire Hébergement web http://hebergement.arbrebinaire.com/ 2015-07-22 18:22 GMT-04:00 Yann Ylavic ylavic@gmail.com: On Wed, Jul 22, 2015 at 11:14 PM, Hébergement web ArbreBinaire.com hebergem...@arbrebinaire.com wrote: Hi, We've been stumped by a configuration problem of our Apache 2.4 server, on CentOS 7. Our goal is to prevent the Poodle vulnerability by removing the SSLv3 protocol. But it seems this directive is not taking any effect: You may be hitting bug [1], which has been fixed in latest 2.4.16 and 2.2.31. Regards, Yann. [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=57100 - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org