• Domains
  • Web Hosting
  • WordPress Hosting
  • Reseller Hosting
  • Cloud VPS
  • Dedicated Servers
  • Domains
  • Web Hosting
  • WordPress Hosting
  • Reseller Hosting
  • Cloud VPS
  • Dedicated Servers
home/Knowledge Base/Web Servers/Disabling SSLv3
Popular Search:Dedicated Server, CentOS, Web Hosting

Disabling SSLv3

18 views 0 December 8, 2019 aklwebhost

POODLE (Padding Oracle On Downgraded Legacy Encryption) is a vulnerability that was found on October 14th, 2014, which allows an attacker to read any encrypted information using the SSLv3 protocol by performing a man-in-the-middle attack. Although many programs use SSLv3 as a fallback, it has come to the point where it should be disabled – as many clients can be forced into using SSLv3. Forcing a client into SSLv3 increases the chance of an attack taking place. This article will show you how to disable SSLv3 in select software applications that are commonly used today.

Disabling SSLv3 on Nginx

Head to the configuration file where your server information is stored. For example, /etc/nginx/sites-enabled/ssl.example.com.conf (replacing the path accordingly to your configuration). Within the file, look for ssl_protocols. Make sure this line exists, and matches the following:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

This will enforce the use of TLS, thus disabling SSLv3 (and any older or obsolete protocols). Now restart your Nginx server by running one of the following commands.

CentOS 7:

systemctl restart nginx 

Ubuntu/Debian:

service nginx restart

Disabling SSLv3 on Apache

To disable SSLv3, head to your module configuration directory for Apache. On Ubuntu/Debian it may be /etc/apache2/mod-available. Whereas on CentOS, it may be located in /etc/httpd/conf.d. Look for the ssl.conf file. Open ssl.conf and find the SSLProtocol directive. Make sure this line exists, and matches the following:

SSLProtocol all -SSLv3 -SSLv2

Once finished, save, then restart your server by running one of the following commands.

For Ubuntu/Debian run:

CentOS 7:

systemctl restart httpd

Ubuntu/Debian:

service apache2 restart

Disabling SSLv3 on Postfix

Head to your postfix directory. It is typically /etc/postfix/. Open up the main.cf file and look for smtpd_tls_mandatory_protocols. Make sure this line exists, and matches the following:

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, TLSv1, TLSv1.1, TLSv1.2

This will force TLSv1.1 and TLSv1.2 to be enabled and used on your Postfix server. Once done, save and restart.

CentOS 7:

 systemctl restart postfix

Ubuntu/Debian:

service postfix restart

Disabling SSLv3 on Dovecot

Open the file located at /etc/dovecot/conf.d/10-ssl.conf. Then, find the line that contains ssl_protocols and make sure it matches the following:

ssl_protocols = !SSLv2 !SSLv3 TLSv1.1 TLSv1.2

Once done, save and restart Dovecot.

CentOS 7:

systemctl restart dovecot

Ubuntu/Debian:

service dovecot restart

Testing that SSLv3 is Disabled

To verify that SSLv3 is disabled on your web server, run the following command (replace domain and IP accordingly):

openssl s_client -servername example.com -connect 0.0.0.0:443 -ssl3

You will see output similar to the following:

CONNECTED(00000003)
140060449216160:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1260:SSL alert number 40
140060449216160:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1414181774
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)

If you want to confirm that your server is using TLS, run the same command but without -ssl3:

 openssl s_client -servername example.com -connect 0.0.0.0:443

You should see similar information displayed. Locate the Protocol line and confirm that it is using TLSv1.X (with X being 1 or 2 depending on your configuration). If you see this, then you have successfully disabled SSLv3 on your web server.

Tags:Disabling SSLv3

Was this helpful?

Yes  No
Related Articles
  • Setup Spigot Server on Arch Linux
  • How To Install OSSEC HIDS on a CentOS 7 Server
  • Initial Setup of a CentOS 7 Server
  • Using StrongSwan for IPSec VPN on CentOS 7
  • Hot Backups with Percona XtraBackup on the One-Click WordPress App
  • Installing Rust on Ubuntu 14.04
Leave A Comment Cancel reply

Web Servers
  • Disabling SSLv3
  • How To Setup Apache on Windows Server
  • Setting up IIS on Windows Server
  • Setup NGINX, PHP-FPM, and MariaDB on Debian 8
  • Apache Virtual Hosts on Ubuntu 14.04 LTS
  • Install Lighttpd with PHP5 and MySQL (LLMP Stack) on Ubuntu 14.04
View All 37  
Popular Articles
  • Using StrongSwan for IPSec VPN on CentOS 7
  • Disabling SSDP (Linux / Windows)
  • Can I pay by Western Union?
  • Can a Coupon Code Discount Be Carried Forward While I Upgrade My VPS Account
  • Can I pay multiple due invoices using a single transaction?
KB Categories
  • Billing
  • Cloud Hosting
  • CMS Hosting
  • cPanel/WHM Control Panel Guide
  • Dedicated Servers
    • AMD Opteron 6272
    • Arch
    • Backup Storage
    • Bandwidth
    • Basic Security
    • BSD
    • CentOS
    • Containers
    • CoreOS
    • DDoS Protection
    • Debian
    • Dedicated Server Control Panel
    • Intel Core i5 3550
    • Intel Core i5 4570
    • Intel Core i7 3770
    • Intel Core i7 4770
    • Intel Xeon E3 1230 V3
    • Intel Xeon E3 1245 V2
    • IP Space
    • Linux Guides
    • Minecraft
    • Networking
    • Server Apps
    • Server Troubleshooting
    • Ubuntu
    • Windows Guides
    • Windows Server 2008
    • Windows Server 2012
  • Domain Names
  • Email Support Documentation
    • Setup IMAP or POP
    • User Features – How To
    • Webmail – How To
  • FTP (File Transfer Protocol
    • CuteFTP Guide
    • FileZilla Guide
  • Game Servers
  • MySQL and MariaDB
  • Node.js
  • Plesk Web Hosting Guide
  • VPS Server
  • Web Servers

  Disable or Restrict Root Login via SSH on Linux

DMD on Ubuntu 14.04  

  • Privacy Policy
  • Terms of Use
  • © 2022 AKLWEB HOST LLC, All Rights Reserved.

Popular Search:Dedicated Server, CentOS, Web Hosting