Here is my environment : Server RHEL 6.3, Apache 2.2.15 ,Tomcat 6, OpenSSL 1.0.0-fips
In order to eliminate the Poodle vulnerability in Google Chrome 39, I’m trying since a couple of days to block SSL 2 and SSL 3 in my config files, but my server is still vulnerable and accept SSL V3.
What I did till now:
- Add directive
SSLProtocol All -SSLv2 -SSLv3in httpd-ssl.conf - Check the syntax of the file with “apachectl configtest”
- Restart Apache
Google Chrome still show the message
ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION
As I have another config file named httpd-vhosts.conf where my virtual host pointing to Tomacat is defined, when I tried to add the same directive SSLProtocol All -SSLv2 -SSLv3 inside block , I got the message
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
in Google Chrome and Internet Explorer, Opera and FireFox did not work more at all.
Is there anything I should check or change? I’ve almost no more hair in my head…