KB Articles

KBID: KB0007744

Topic/Category: Apache, Tomcat

Issue: If you maintain a web server, the safest short-term response is to disable SSLv3 support (or disable CBC-mode ciphers in coordination with SSLv3).

The protocol is more than fifteen years old and the current versions of all major web browsers have supported TLS 1.0 since 2006.

It is also important to remember that many protocols other than HTTPS utilize TLS for transport security, including POP3, IMAP, SMTP, XMPP, FTP, and NNTP.

We’ve included instructions on how to disable SSLv3 support

 

Solution:

 

What clients do not support TLS?

The largest user base that will be affected by a lack of TLS support are Internet Explorer clients using IE6 or below.

It is estimated that 3.8% of all clients are still running IE6, but IE6 only represents 0.1% of US browsers.

Opera began supporting TLS in version 5, and TLS support was present in Firefox 2 (and possibly earlier versions).

All versions of Google Chrome support TLS.

A more long-term solution is to use TLS Signaling Cipher Suite Value (SCSV).


How can I test my server?

If you have a public web server, you can test it using the Qualys SSL Server Test.

You can also test private web servers and other TLS endpoints using OpenSSL by running
openssl s_client -ssl -connect fqdn:port.
If your server has SSLv3 disabled, you will receive a handshake error, otherwise, you’ll receive the same output as when you run
openssl s_client -connect fqdn:port.

Apache

Edit and add the following to \\Path\Ephesoft\Apache2.2\conf\extra\httpd-ssl.conf :right below

Listen 443

 

For httpd version 2.2.23 and newer, specify all protocols except SSLv2 and SSLv3.

SSLProtocol ALL -SSLv2 -SSLv3

 

For httpd version 2.2.22 and older, only specify TLSv1. This
is treated as a wildcard for all TLS versions.

SSLProtocol TLSv1

 

< Back|

Was this article helpful to you?

Walter Lee

Comments are closed.