How to ensure that Apache does not allow SSL 2.0/SSL 3.0 protocol?

Created:

2016-11-16 13:11:51 UTC

Modified:

2017-04-24 11:17:59 UTC

0

Was this article helpful?


Have more questions?

Submit a request

How to ensure that Apache does not allow SSL 2.0/SSL 3.0 protocol?

Applicable to:

  • Plesk for Linux

Symptoms

The warning is shown in security report:

The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.

Resolution

SSL protocols that are used by Apache can be set by means of "SSLProtocol" option..To disable SSL 2.0 or SSL 3.0 protocol you should modify the /etc/httpd/conf.d/ssl.conf or httpd.conf , adding the line:

SSLProtocol all -SSLv2 -SSLv3

Restart Apache after configuration files modification.

Additional Information

Additional information about mod_ssl can be found here .

Note: Real path to Apache or SSL configuration files can be different depending on operation system installed.

Have more questions? Submit a request
Please sign in to leave a comment.