I have a new install of ubuntu server version 14.04.1
I have apache2 with SSL enabled.
I want to disable SSLv3
(I am aware this is a popular question but I have trawlled all other answers on multiple sites and I believe I have followed all the steps they suggest.)
When I use the command:
nmap --script ssl-enum-ciphers -p 443 MYDOMAIN.com
I can see two sets of ciphers. One SSLv3 and one TLSV1.0
I have the SSL module enabled
and it's configuation file is /etc/apache2/mods-enabled/ssl.conf
I have altered it by changing the line
SSLProtocol all
to
SSLProtocol All -SSLv2 -SSLv3
From all the documentation and web tutorials this should disable SSLv3.
I restart apache with the command
sudo service apache2 restart
but there is no change. SSLv3 is still listed.
I have tried stopping the server and re-running the command to ensure I am not accidently checking the wrong server. As expected the result changes.
Can anyone suggest what mistake I am making.
Robert
My exact ubuntu version:
root@xxxx:/etc/apache2/mods-enabled# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.1 LTS
Release: 14.04
Codename: trusty
My exact apache2 version:
root@xxxx:~# apache2 -v
Server version: Apache/2.4.7 (Ubuntu)
Server built: Jul 22 2014 14:36:38
My exact openssl version:
root@xxxx:~# openssl version
OpenSSL 1.0.1f 6 Jan 2014
References:
http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslprotocol
Best Answer
I found that I had other config files which overrode the option.
It was possible to find the files by running: