From 53124ed9dc52e8aee60d9018ffb32c18f03c4daa Mon Sep 17 00:00:00 2001
From: Till Brehm <tbrehm@ispconfig.org>
Date: Thu, 16 Oct 2014 16:37:35 +0200
Subject: [PATCH] Implemented: FS#3706 - disable SSLv3 to protect servers
 agains POODLE attack.

---
 install/tpl/apache_ispconfig.vhost.master | 1 +
 install/tpl/nginx_ispconfig.vhost.master  | 1 +
 server/conf/nginx_vhost.conf.master       | 1 +
 server/conf/vhost.conf.master             | 3 ++-
 4 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/install/tpl/apache_ispconfig.vhost.master b/install/tpl/apache_ispconfig.vhost.master
index 4973af083..3619e16b6 100644
--- a/install/tpl/apache_ispconfig.vhost.master
+++ b/install/tpl/apache_ispconfig.vhost.master
@@ -63,6 +63,7 @@ NameVirtualHost *:<tmpl_var name="vhost_port">
 
   # SSL Configuration
   <tmpl_var name="ssl_comment">SSLEngine On
+  <tmpl_var name="ssl_comment">SSLProtocol All -SSLv2 -SSLv3
   <tmpl_var name="ssl_comment">SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
   <tmpl_var name="ssl_comment">SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
   <tmpl_var name="ssl_bundle_comment">SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle
diff --git a/install/tpl/nginx_ispconfig.vhost.master b/install/tpl/nginx_ispconfig.vhost.master
index 931bc6162..70d6a53b5 100644
--- a/install/tpl/nginx_ispconfig.vhost.master
+++ b/install/tpl/nginx_ispconfig.vhost.master
@@ -1,6 +1,7 @@
 server {
         listen {vhost_port};
 		ssl {ssl_on};
+		{ssl_comment}ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
         {ssl_comment}ssl_certificate /usr/local/ispconfig/interface/ssl/ispserver.crt;
         {ssl_comment}ssl_certificate_key /usr/local/ispconfig/interface/ssl/ispserver.key;
 		
diff --git a/server/conf/nginx_vhost.conf.master b/server/conf/nginx_vhost.conf.master
index 6e3d85324..cb9f628b1 100644
--- a/server/conf/nginx_vhost.conf.master
+++ b/server/conf/nginx_vhost.conf.master
@@ -6,6 +6,7 @@ server {
 		
 <tmpl_if name='ssl_enabled'>
         listen <tmpl_var name='ip_address'>:443 ssl;
+		ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 <tmpl_if name='ipv6_enabled'>
         listen [<tmpl_var name='ipv6_address'>]:443 ssl;
 </tmpl_if>
diff --git a/server/conf/vhost.conf.master b/server/conf/vhost.conf.master
index 16e0d1216..23cec4711 100644
--- a/server/conf/vhost.conf.master
+++ b/server/conf/vhost.conf.master
@@ -47,7 +47,8 @@
 
 		<IfModule mod_ssl.c>
 <tmpl_if name='ssl_enabled'>
-	SSLEngine on
+		SSLEngine on
+		SSLProtocol All -SSLv2 -SSLv3
 		SSLCertificateFile <tmpl_var name='document_root'>/ssl/<tmpl_var name='ssl_domain'>.crt
 		SSLCertificateKeyFile <tmpl_var name='document_root'>/ssl/<tmpl_var name='ssl_domain'>.key
 <tmpl_if name='has_bundle_cert'>
-- 
GitLab