HostOnNet Blog

Disable SSL v3.0 on Cpanel Server

Looking for Linux Server Admin or WordPress Expert? We can help.

SSL v3.0 is vulnerable to POODLE attack and should be disabled.

To disable SSL v3.0 on Cpanel Servers, go to

WHM > Service Configuration > Apache Configuration

apache_configuration_include_editor

Click on Include Editor.

apache_configuration_pre_main

Under Pre Min Include, select All Versions from drop down, paste following.

SSLHonorCipherOrder On
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2

Click Update

On Next page, you will be asked to Restart Apache Server.

Disable SSL v3.0 on Ubuntu/CentOS Servers

To disable SSL v3.0 on servers with no control panel, you can edit your Apache configuration file. Add following lines

SSLHonorCipherOrder On
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2

Restart Apache Web Server. For manage.hostonnet.com, i have following Apache Configuration

<VirtualHost *:443>
    ServerName manage.hostonnet.com
    ServerAdmin admin@hostonnet.com
    DocumentRoot /home/manage.hostonnet.com/public_html
    ErrorLog ${APACHE_LOG_DIR}/manage.hostonnet.com-ssl_error.log
    CustomLog ${APACHE_LOG_DIR}/manage.hostonnet.com-ssl_access.log combined
    SSLEngine on
    SSLCertificateFile  /etc/ssl/certs/manage.hostonnet.com.pem
    SSLCertificateKeyFile /etc/ssl/private/manage.hostonnet.com.key
    SSLCACertificateFile /etc/apache2/ssl.crt/manage.hostonnet.com-ca-bundle.crt
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    SSLHonorCipherOrder On
    SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
    <Directory "/home/manage.hostonnet.com/public_html">
        Options All
        AllowOverride All
        Require all granted
        Order allow,deny
        allow from all
    </Directory>
</VirtualHost>

Verify SSL v3.0 Disabled

You can check if your SSL certificate is secure at

https://sslanalyzer.comodoca.com

If you have SSL v3.0 Enabled, you will see something like

ssl_v3_enabled

Once SSL v3.0 disabled on your server, it will show like

ssl_v3_disabled

Verify SSL v3.0 Disabled using Command Line

To check if SSL v3.0 is disabled, run command

openssl s_client -connect www.yourdomain.com:443 -ssl3 | grep SSL3 | grep failure

You should see something like following

$ openssl s_client -connect www.hostonnet.com:443 -ssl3 | grep SSL3 | grep failure
140253028181664:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1262:SSL alert number 40
140253028181664:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:
$ 


Posted in Cpanel Server

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.