Question


How do I disable SSLv3 on my Control Panel server?


Environment


OnApp version 3.x , 4.x , 5.x, 6.x


Answer


During the OnApp installation, the OpenSSL utility is installed. There are two Apache configuration files that have the SSLProtocol directive defined. These are /etc/httpd/conf.d/ssl.conf and /etc/httpd/conf.d/onapp.conf. To disable SSLv3, you need to explicitly disable SSLv3 by modifying the SSLProtocol directive to include -SSLv3:

   • In /etc/httpd/conf.d/onapp.conf:

SSLProtocol -ALL +SSLv3 +TLSv1
CODE

    • In /etc/httpd/conf.d/ssl.conf:

SSLProtocol all -SSLv2
CODE


The following should be modified to disable SSLv3:


    In onapp.conf:

SSLProtocol -ALL -SSLv3 +TLSv1
CODE

    In ssl.conf:

SSLProtocol all -SSLv2 -SSLv3
CODE


Once these changes are made and saved, do the following:

  1. Stop the OnApp service:

    service onapp stop
    CODE
  2. Restart Apache:

    /etc/init.d/httpd restart
    CODE
  3. Restart OnApp:

    service onapp start
    CODE

Once these services are restarted, SSLv3 will be disabled.


Additional Information


More information on the vulnerability can be found at https://access.redhat.com/security/cve/CVE-2014-3566. Currently, there is no patch available. Thus, disabling SSLv3 is highly recommended.