Head to the configuration file where your server information is stored. For example, /etc/nginx/sites-enabled/ssl.example.com.conf
(replacing the path accordingly to your configuration). Within the file, look for ssl_protocols
. Make sure this line exists, and matches the following:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
This will enforce the use of TLS, thus disabling SSLv3 (and any older or obsolete protocols). Now restart your Nginx server by running one of the following commands.
CentOS 7:
systemctl restart nginx
Ubuntu/Debian:
service nginx restart
To disable SSLv3, head to your module configuration directory for Apache. On Ubuntu/Debian it may be /etc/apache2/mod-available
. Whereas on CentOS, it may be located in /etc/httpd/conf.d
. Look for the ssl.conf
file. Open ssl.conf
and find the SSLProtocol
directive. Make sure this line exists, and matches the following:
SSLProtocol all -SSLv3 -SSLv2
Once finished, save, then restart your server by running one of the following commands.
For Ubuntu/Debian run:
CentOS 7:
systemctl restart httpd
Ubuntu/Debian:
service apache2 restart
Head to your postfix
directory. It is typically /etc/postfix/
. Open up the main.cf
file and look for smtpd_tls_mandatory_protocols
. Make sure this line exists, and matches the following:
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, TLSv1, TLSv1.1, TLSv1.2
This will force TLSv1.1 and TLSv1.2 to be enabled and used on your Postfix server. Once done, save and restart.
CentOS 7:
systemctl restart postfix
Ubuntu/Debian:
service postfix restart
Open the file located at /etc/dovecot/conf.d/10-ssl.conf
. Then, find the line that contains ssl_protocols
and make sure it matches the following:
ssl_protocols = !SSLv2 !SSLv3 TLSv1.1 TLSv1.2
Once done, save and restart Dovecot.
CentOS 7:
systemctl restart dovecot
Ubuntu/Debian:
service dovecot restart
To verify that SSLv3 is disabled on your web server, run the following command (replace domain and IP accordingly):
openssl s_client -servername example.com -connect 0.0.0.0:443 -ssl3
You will see output similar to the following:
CONNECTED(00000003)
140060449216160:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1260:SSL alert number 40
140060449216160:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1414181774
Timeout : 7200 (sec)
Verify return code: 0 (ok)
If you want to confirm that your server is using TLS, run the same command but without -ssl3
:
openssl s_client -servername example.com -connect 0.0.0.0:443
You should see similar information displayed. Locate the Protocol
line and confirm that it is using TLSv1.X
(with X being 1 or 2 depending on your configuration). If you see this, then you have successfully disabled SSLv3 on your web server.