How to Disable SSLv3 for a Specific VirtualHost in Apache to Mitigate POODLE Vulnerability


2 views

The POODLE (Padding Oracle On Downgraded Legacy Encryption) attack exploits SSLv3's weak cipher block padding mechanism. While the standard mitigation is to disable SSLv3 entirely, production environments often require gradual testing before full implementation.

Contrary to some documentation, Apache does allow SSLProtocol directives within VirtualHost blocks. However, there are several caveats:

<VirtualHost *:443>
    SSLEngine On
    SSLProtocol All -SSLv2 -SSLv3
    SSLCipherSuite HIGH:!aNULL:!MD5:!3DES
    SSLHonorCipherOrder On
    ServerName test.example.com
</VirtualHost>

Common reasons include:

  • Missing SSLEngine On directive
  • Conflicting global SSL settings in httpd-ssl.conf
  • Outdated OpenSSL version not honoring protocol restrictions
  • Browser caching old SSL handshakes

Verify your configuration with:

openssl s_client -connect test.example.com:443 -ssl3

Expected output should show connection failure when SSLv3 is properly disabled.

For environments needing protocol flexibility:

<IfModule mod_ssl.c>
    <VirtualHost *:443>
        SSLEngine On
        SSLProtocol TLSv1.2 TLSv1.3
        SSLCompression Off
        SSLUseStapling On
        Header always set Strict-Transport-Security "max-age=63072000"
        # Domain-specific settings...
    </VirtualHost>
</IfModule>

When disabling legacy protocols, ensure compatibility with:

  • Older Android systems (pre-5.0)
  • IE on Windows XP
  • Certain embedded systems

Always test with multiple clients before production deployment.

When dealing with SSL/TLS security in Apache, the POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability remains a critical concern. The attack exploits SSLv3 fallback mechanisms, making protocol restriction essential. While global Apache configurations work, many administrators need per-VirtualHost control for staged testing.

The correct syntax for VirtualHost-specific SSL protocol restrictions is:

<VirtualHost *:443>
    SSLEngine On
    SSLProtocol All -SSLv2 -SSLv3
    SSLCipherSuite HIGH:!aNULL:!MD5
    ServerName test.example.com
    # Additional directives...
</VirtualHost>

After implementing changes, verify with:

openssl s_client -connect test.example.com:443 -ssl3

If the connection succeeds despite your configuration, check for:

  • Parent configuration files overriding settings (use apachectl -S)
  • ModSSL version compatibility issues
  • Inherited protocols from global SSL configuration

For maximum security with backward compatibility:

<VirtualHost *:443>
    SSLProtocol TLSv1.2 TLSv1.3
    SSLHonorCipherOrder On
    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
    SSLCompression Off
    ServerName secure.example.com
</VirtualHost>

When implementing protocol restrictions:

  • Benchmark with ab -n 1000 -c 100 https://test.example.com/
  • Monitor TLS handshake times using browser developer tools
  • Consider session resumption techniques to offset protocol limitation overhead

For environments requiring more granular control:

<IfModule mod_ssl.c>
    <If "%{HTTP_HOST} == 'test.example.com'">
        SSLProtocol All -SSLv2 -SSLv3
    </If>
</IfModule>