i am trying to turn of SSLv2 and SSLv3 on my Apache 2.2.22 on SUSE.
I disabled SSLv2 and SSLv3 in my /etc/apache2/vhost.d/vhost-ssl.conf with this command:
SSLProtocol all -SSLv2 -SSLv3
When i check my Website over ssllabs.com it still says that both versions of SSL are available.
What do i miss?
Regards
First off have you restarted the Apache service? You can restart Apache by using the following command
sudo service httpd restart
If that doesn't work use a tool like grep to to search 'SSLProtocol' in all files in the /etc/httpd directory. The SSL Protocol could be set in a number of places and it could be picking up a setting from somewhere else. Try the following grep command to find all usages of SSLProtocol
sudo grep -rin "SSLProtocol" /etc/httpd/*
If you are running Apache 2.2 or older the syntax you have used won't work, you will need to specify each protocol you would like to support. You will need to change it to something like the following
The method which you are using is for new version of Apache and Openssl. It might be possible that new version of these doesn't installed on your system, verify current installed version. Since SSLv2-3 both are vulnerable of some attacks, so it would be better to use only TLS. So modify your SSLProtocol file as follows,
SSLProtocol TLSv1 TLSv1.1 TLSv1.2
I found the this example at https://unix.stackexchange.com/a/162479