HostOnNet Blog


Disable SSL v3.0 on Cpanel Server

SSL v3.0 is vulnerable to POODLE attack and should be disabled.

To disable SSL v3.0 on Cpanel Servers, go to

WHM > Service Configuration > Apache Configuration

apache_configuration_include_editor

Click on Include Editor.

apache_configuration_pre_main

Under Pre Min Include, select All Versions from drop down, paste following.

SSLHonorCipherOrder On
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2

Click Update

On Next page, you will be asked to Restart Apache Server.

Disable SSL v3.0 on Ubuntu/CentOS Servers

To disable SSL v3.0 on servers with no control panel, you can edit your Apache configuration file. Add following lines

SSLHonorCipherOrder On
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2

Restart Apache Web Server. For manage.hostonnet.com, i have following Apache Configuration

<VirtualHost *:443>
    ServerName manage.hostonnet.com
    ServerAdmin admin@hostonnet.com
    DocumentRoot /home/manage.hostonnet.com/public_html
    ErrorLog ${APACHE_LOG_DIR}/manage.hostonnet.com-ssl_error.log
    CustomLog ${APACHE_LOG_DIR}/manage.hostonnet.com-ssl_access.log combined
    SSLEngine on
    SSLCertificateFile  /etc/ssl/certs/manage.hostonnet.com.pem
    SSLCertificateKeyFile /etc/ssl/private/manage.hostonnet.com.key
    SSLCACertificateFile /etc/apache2/ssl.crt/manage.hostonnet.com-ca-bundle.crt
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    SSLHonorCipherOrder On
    SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
    <Directory "/home/manage.hostonnet.com/public_html">
        Options All
        AllowOverride All
        Require all granted
        Order allow,deny
        allow from all
    </Directory>
</VirtualHost>

Verify SSL v3.0 Disabled

You can check if your SSL certificate is secure at

https://sslanalyzer.comodoca.com

If you have SSL v3.0 Enabled, you will see something like

ssl_v3_enabled

Once SSL v3.0 disabled on your server, it will show like

ssl_v3_disabled

Verify SSL v3.0 Disabled using Command Line

To check if SSL v3.0 is disabled, run command

openssl s_client -connect www.yourdomain.com:443 -ssl3 | grep SSL3 | grep failure

You should see something like following

$ openssl s_client -connect www.hostonnet.com:443 -ssl3 | grep SSL3 | grep failure
140253028181664:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1262:SSL alert number 40
140253028181664:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:
$ 

Posted in Cpanel Server