Everybody seems to be talking about the POODLE vulnerability today. And everybody recommends disabling SSLv3 in Apache using the following configuration directive:
SSLProtocol All -SSLv2 -SSLv3
instead of the default
SSLProtocol All -SSLv2
I've done that, and no joy – after testing repeatedly with various tools (here's a fast one), I find that SSLv3 is happily accepted by my server.
Yes, I did restart Apache. Yes, I did a recursive grep on all configuration files, and I don't have any override anywhere. And no, I'm not using some ancient version of Apache:
[root@server ~]# apachectl -v
Server version: Apache/2.2.15 (Unix)
Server built: Jul 23 2014 14:17:29
So, what gives? How does one really disable SSLv3 in Apache?
Best Answer
I had the same problem... You have to include
SSLProtocol all -SSLv2 -SSLv3within every VirtualHost stanza in httpd.confThe VirtualHost stanzas are generally towards the end of the httpd.conf file. So for example:
Also check ssl.conf or httpd-ssl.conf or similar because they may be set there, not necessarily in httpd.conf