Yesterday I wrote a post about disabling SSLv3 in Postfix and today we take a close look at Apache. While taking a closer look at the current installation of Apache and the version shipped with Debian 8 that was released a few days back it showed that or the Apache project or Debian has taken the responsibility to completely disable SSLv2. Hopefully SSLv3 will get the same treatment soon, as broken security is worse than no security due to the false sense of security.
First we see that the cipher suite are different between both and for now I’ll ignore them. Those will be touched in a later posting as RC4 also needs to be phased-out. For Debian Jessie installations everything is well on protocol level, but for Wheezy the option “-SSLv3” is missing and since TLS is compiled into Apache and OpenSSL on Debian Wheezy it is pretty safe to turn SSLv3 off unless you want to keep servicing Internet Explorer 6.
SSLProtocol all -SSLv3 -SSLv2
As with Postfix also for Apache a hard restart to enforce this on all connection from that point forward to make sure no one keeps an old connection with SSLv3.
$ sudo systemctl restart apache2.service
Keep in mind that these setting can be set also on a virtual host level within Apache and will override any global setting. So it may be wise to also verify other configuration files for Apache and/or run sslscan against your websites to verify the SSL protocol offered.
The POODLE attack was made public late 2014 and as most vendors have taken action to solve possible issues related to POODLE. The time definitely has come to close SSLv3 in all parts of public facingÂ infrastructure. By default Postfixstill only disallows SSLv2 and hopefully this will change in the form of stricter default behaviour in Postfix or distributions/vendors that stop shipping SSLv3 libraries.
For now you can set with the postconf command restrictions which protocols shouldn’t be used by Postfix.
As this is a change to /etc/postfix/main.cf Postfix can be reloaded to reread the configuration, but it may be smarter to just restart Postfix to make it effective for all connection from the moment Postfix restarts.
$ sudo systemctl restart postfix.service
All encrypted sessions Postfix allows will require TLSv1+. The next step will be to disable the RC4 cipher suite, but will do that in another posting.
2014 was a year with only one blog post, 2014 was a year with under a hundred wiki edits, 2014 was also a year of change. I passed both my PRINCE2 Foundation and ITILv3 Foundation exam, I passed my RHCSA exam and now wrapping up my RHCE and Professional Scrum Master exam.
2014 was also the year I gave my first Scrum-course and the next course is planned. 2014 was also the year I gave a presentation with Martin Simons from Webhuis about CFEngine at the small conference organized by Cohesion.
2014 was also the year I switched from Debian to Fedora on my desktop due to a hard disk failure, but backups saved the day. 2014 was also the year I switched back to self-hosted services and deleted or cleaned out accounts with oversea services. Hopefully more services for me will follow in 2015, but we will see.
For now it is reducing my todo-list and automating certain tasks so I don’t have to spend time on them anymore. Hopefully this will lead to posts about CFEngine, Nagios, LDAP and PHPUnit, but again we will see how things go. So let make this a productive and relaxed 2015 for all.