Disable SSLv2 and SSLv3 in Apache

By | 2013/06/18

Yes we all know that SSLv2 is to be avoided, but you should also consider disabling SSLv3! Wha? Crazy I know. Here is some info.

The replacement for SSLv3 was TLS 1.0. We now have TLS 1.0, 1.1, and 1.2. In fact, no modern browsers or mobile devices need SSLv3 – not even IE 8 on Windows XP!

For best security, disable both SSLv2 and SSLv3 and only use TLS 1.0 and higher.

In Apache, current docs say to specify the following:

SSLProtocol All -SSLv2 -SSLv3

Rock on,

7 thoughts on “Disable SSLv2 and SSLv3 in Apache

  1. Ian

    Given the announcement of the POODLE vulnerability, how prescient this post was!

  2. Sebastiaan

    Please note that “SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2” does NOT disable SSLv3 support.
    As the syntax suggests, it adds TLSv1, TLSv1.1, and TLSv1.2 support to the configuration, so it does the same as “SSLProtocol ALL TLSv1 TLSv1.1 TLSv1.2”.

    To disable SSLv3, use “SSLProtocol TLSv1 TLSv1.1 TLSv1.2”, or “SSLProtocol -SSLv3” instead. The last one might be preferable, because this will keep TLSv1.3 and successors enabled, when they’re released in the future.

    1. Sebastiaan

      Sorry, that last one should be “SSLProtocol ALL -SSLv3”, of course.

    2. Sebastiaan

      Never mind.. my rant is completely untrue.. “+x” does NOT add anything to the current configuration, it replaces it instead.. Feel free to remove my comments. Thanks for the article!

      1. Scott Miller Post author

        Actually, I like what you have. I’ve updated the post.

  3. nolys

    I have folowed all the tutorial to disable sslv3 on redhat 6 server but nothing. When i do the test with nmap, we notice always that sslv3 is supported.
    Could you please help me to have the best procedure to disable it.

  4. muddassir

    with SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 -SSLv3 i am unable to disable the sslv3 in apahce 2.2.29. Please help


Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.