I have Apache 2.4.9 running on windows Server 2008 R2.
SERVER_SOFTWARE Apache/2.4.9 (Win32) PHP/5.5.12 OpenSSL/1.0.1g
SSL_PROTOCOL TLSv1.2
Registered Stream Socket Transports tcp, udp, ssl, sslv3, sslv2, tls
I need to immediately disable SSLv3 to prevent Poodle attacks. TO do that I opened the file \conf\extra\httpd-ssl.conf
Then I added the following line of code to it
SSLProtocol All -SSLv2 -SSLv3
After saving the changes, I restarted Apache.
When came back up, I looked at the output of phpinfo() but I still can see the following
SSL_PROTOCOL TLSv1.2 Registered Stream Socket Transports tcp, udp, ssl, sslv3, sslv2, tls
Is the phpinfo() where I check to see if the SSLv3 and SSLv2 are disabled or not?
Here are more methods I have done to ensure I am doing this correctly.
I tried adding this line instead of the other command (ie.
SSLProtocol All -SSLv2 -SSLv3)
SSLHonorCipherOrder On
SSLProtocol -All +TLSv1.2
I even tried to searching for any file that contains the word "SSLProtocol" inside Apache24 directory like so
C:\Apache24>findstr /s /i /p "SSLProtocol" *.*
this only found 2 files
- httpd-ssl.conf
- CHANGES.txt
How to check if SSLv3 is disabled or not on my server? If It is not disabled yet, how to properly disable it?
SSLProtocol All -SSLv2 -SSLv3should disable SSLv3 protocol in your Apache installation.For reference.I would not be sure about
phpinfo()however if you want to see the enabled protocols on your site. Browse here and enter your site address.Found this post here . You can useropensslas well to check absence of SSLv3. Use below command to see what SSL protocols are enabledTo see other promising tools you can Google and give it a try.
Hope that helps!