Updating ssl 2 0 to ssl 3 0


10-Nov-2019 04:13

A homegrown site of ours breaks when disabling TLS 1.0 and a a site that runs a program we purchased from a vendor broke when disabling SSL 3.0. Where should I start looking first to upgrade or patch these sites so that I would be able to disable SSL 3.0 and TLS 1.0 without breaking the authentication during login?

When I say broke I'm not able to log in, as if disabling those ciphers breaks the authentication step.

Thank you Thomas, I only have one directive setting the SSL Protocol unlike some that have multiple settings. I have 2 servers that are Red Hat 6.5 that have the same configurations as other servers in my farm and when I run the path hal-test.or hal-dev.both are different servers I get a response back that these are vulnerable.

I have tried to override the directive by adding SSLProtocol All -SSLv2 -SSLv3 in the file however this did not work either. It was a combination of Tomas' note above (overwritten directive within the vhost regardless if the SSLProtocol is at the top of your file) along with a few greps to find where the Virtual Hosts were actually configured. My file has SSLProtocol -All TLSv1 on both servers.

Latest vulnerability scan is requiring that we disable SSL 3.0 and TLS 1.0 on our public facing websites.

Disabling both of those didn't cause a problem on our Exchange server but two of our other sites didn't like it.

This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack.

Backwards compatibility can be achieved using TLSv1.0.We detected that this server does not support SSLv3 Take note, you must restart Apache [httpd] to take effect the changes.