Print
Written by Tech Notes
Category: Security
Published: 03 November 2014
Linux   Fedora   Centos   SSL3   SSLv3   TLS   Apache   Disabing SSL   SSL v3   Microsoft IIS   Sendmail   Postfix   RHL   RedHat   Ubuntu   Dovecot   HAProxy   OpenVPN   389 Directory  

Disabling SSL 3 Support On Servers And Softwares

Initial Comments

Due to limited time at the time of writing this, I needed to dumped fast info here and did not have time to provide pics or elaborate.  I do not get paid to do these articles.

It is assumed on this article that you know how to get access to command level on your server of interest.

 

On Apache 2.2.23 and Newer have this in the ssl.conf file:

SSLProtocol ALL -SSLv2 -SSLv3

You will need to locate your ssl.conf, but here are some typical example locations for the ssl.conf:
General Linux, Fedora, RHL, Centos: /etc/httpd/conf.d/ssl.conf
Ubuntu: /etc/apache2/mods-available/ssl.conf

On Apache 2.2.22 and Older have this in the ssl.conf file (if I recall correctly a while back, it could also be in the httpd.conf file):

SSLProtocol TLSv1

You can see more on SSLProtocol Directive here by scrolling half way on that page.

 

For For Apache that has mod_nss do this:

Modify (your choice of text or code editor; such as VIM/VI, or notepad) the file /etc/httpd/conf.d/nss.conf to allow only TLS 1 and higher by having this line in that file:

NSSProtocol TLSv1.0,TLSv1.1

or

NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2

 

On Microsoft IIS

This example references Windows 2012:

  1. Make a full backup of your Windows Registry.
  2. Edit Windows Registry while logged in as the OS Administrator (Owner).
  3. Run the command regedit.exe.
    1. If needed you can Right-click on regedit.exe indicate to Run as administrator.
  4. Once in the Registry Editor, do the following carefully:
    1. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\
    2. Assuming a "SSL 3.0" is not already showing, Right-click on Protocols, and select New, and then select Key.
    3. Name the key "SSL 3.0".
    4. Right-click on the new SSL 3.0 key that you just made, and select select New, and then select Key, like before.
    5. Name the key Client.
    6. Again, Right-click on the new SSL 3.0 key, and select select New, and then select Key, like before.
    7. Name the key Server.
    8. Expanding the SSL 3.0, right-click on Client, and select New, and then select DWORD (32-bit) Value.
    9. Name the value DisabledByDefault.
    10. Again, under SSL 3.0, select Client and then double click on the DisabledByDefault DWORD value in the right pane.
    11. Change the "Value data" field to 1 (this is in the window that is titled "Edit DWORD (32-bit) Value") and click OK.
    12. Again, under SSL 3.0, right-click on Server, and select New, and then select DWORD (32-bit) Value.
    13. Name the value Enabled.
    14. Again, under SSL 3.0, select Server and then double click on the Enabled DWORD value shown in the right pane window.
    15. Similar to above, change the "Value data" field to 0, click OK.
    16. Restart your Windows server.

 

For Sendmail 8.9.x and Newer versions

Modify the LOCAL_CONFIG section in the sendmail.mc file.  You will need to locate your sendmail.mc file used.  Often at /etc/mail/sendmail.mc.  Have the following in it:

CipherList=HIGH

ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE

ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

 

For Postfix SMTP

My understanding is that if you do not have your Postfix setup to use encryption all times, then this may not be needed to be done.  If it, then do the following.  Edit the main Postfix configuration file, which you will need to locate.  Often at /etc/postfix/main.cf.  Have it modified to have this line:

smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3

I believe it also work if you have a space after the comma.

For Courier-imap

(Still being worked on. Info To Be Added soon.)

For Lighttpd

(Still being worked on. Info To Be Added soon.)

On Dovecot

(Still being worked on. Info To Be Added soon.)

On HAProxy Server

(Still being worked on. Info To Be Added soon.)

On OpenVPN Server

(Still being worked on. Info To Be Added soon.)

On 389 Directory Server

(Still being worked on. Info To Be Added soon.)