Implemented: FS#3706 - disable SSLv3 to protect servers agains POODLE attack.

53124ed9 · Till Brehm · 68b1465c · 53124ed9 · 53124ed9 · 53124ed9
Commit 53124ed9 authored Oct 16, 2014 by Till Brehm
--- a/install/tpl/apache_ispconfig.vhost.master
+++ b/install/tpl/apache_ispconfig.vhost.master
@@ -63,6 +63,7 @@ NameVirtualHost *:<tmpl_var name="vhost_port">

  # SSL Configuration
  <tmpl_var name="ssl_comment">SSLEngine On
+  <tmpl_var name="ssl_comment">SSLProtocol All -SSLv2 -SSLv3
  <tmpl_var name="ssl_comment">SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
  <tmpl_var name="ssl_comment">SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
  <tmpl_var name="ssl_bundle_comment">SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle

--- a/install/tpl/nginx_ispconfig.vhost.master
+++ b/install/tpl/nginx_ispconfig.vhost.master
 server {
        listen {vhost_port};
 		ssl {ssl_on};
+		{ssl_comment}ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        {ssl_comment}ssl_certificate /usr/local/ispconfig/interface/ssl/ispserver.crt;
        {ssl_comment}ssl_certificate_key /usr/local/ispconfig/interface/ssl/ispserver.key;
 		

--- a/server/conf/nginx_vhost.conf.master
+++ b/server/conf/nginx_vhost.conf.master
@@ -6,6 +6,7 @@ server {
 		
 <tmpl_if name='ssl_enabled'>
        listen <tmpl_var name='ip_address'>:443 ssl;
+		ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 <tmpl_if name='ipv6_enabled'>
        listen [<tmpl_var name='ipv6_address'>]:443 ssl;
 </tmpl_if>

--- a/server/conf/vhost.conf.master
+++ b/server/conf/vhost.conf.master
@@ -47,7 +47,8 @@

 		<IfModule mod_ssl.c>
 <tmpl_if name='ssl_enabled'>
-	SSLEngine on
+		SSLEngine on
+		SSLProtocol All -SSLv2 -SSLv3
 		SSLCertificateFile <tmpl_var name='document_root'>/ssl/<tmpl_var name='ssl_domain'>.crt
 		SSLCertificateKeyFile <tmpl_var name='document_root'>/ssl/<tmpl_var name='ssl_domain'>.key
 <tmpl_if name='has_bundle_cert'>