Cannot disable SSLv3 on Amazon Linux Instance

Question

I am using SSL Certificate issued by Go Daddy. On my Linux Instance following are the software details :-

• Apache Version - Apache/2.4.16 (Amazon)
• Openssl Version - OpenSSL 1.0.1k-fips 8 Jan 2015
• mod_ssl version - mod_ssl-2.4.2

Note :- I install Apache from RPM Package and later I install mod_ssl and openssl from rpm package.

1) The problem is when I disable SSLv3 and test SSL Server from https://www.ssllabs.com/ssltest/ it gives me warning that "this server does not support TLSv1.2 which is current best" and when I enable TLSv1.2 protocol the same test warns me about "This server supports SSLv3 protocol and vulnerable to Poodle attack" How to disable SSLv3 and enable TLSv1.2 at same time on server? Current configuration of my Vhost file about SSL is:

SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder     on

2) I cannot create a Strong Diffie-Hellman Group. Current is 1024-bit Diffie-Hellman group and want to create 2048-bit group for the site. I issue this command to generate 2048-bit key:-

openssl dhparam -out dhparams.pem 2048

and my configuration in VHost is:

SSLOpenSSLConfCmd DHParameters /etc/httpd/dhparams.pem

when I restart server error message pop up:

Invalid command 'SSLOpenSSLConfCmd', perhaps misspelled or defined by a module not included in the server configuration

How to resolve this issue?

Output of command openssl s_client -connect 127.0.0.1:443 -tls1_2 -msg when SSLv3 is enabled :-

CONNECTED(00000003)
>>> ??? [length 0005]

>>> TLS 1.2 Handshake [length 0138], ClientHello

<<< ??? [length 0005]

<<< TLS 1.2 Handshake [length 003a], ServerHello

<<< ??? [length 0005]

<<< TLS 1.2 Handshake [length 12a7], Certificate

depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2     
Certification Authority
verify error:num=19:self signed certificate in certificate chain
<<< ??? [length 0005]

<<< TLS 1.2 Handshake [length 020f], ServerKeyExchange

<<< ??? [length 0005]

<<< TLS 1.2 Handshake [length 0004], ServerHelloDone

>>> ??? [length 0005]

>>> TLS 1.2 Handshake [length 0086], ClientKeyExchange

>>> ??? [length 0005]

>>> TLS 1.2 ChangeCipherSpec [length 0001]

>>> ??? [length 0005]

>>> TLS 1.2 Handshake [length 0010], Finished

<<< ??? [length 0005]

<<< TLS 1.2 Handshake [length 00ca]???

<<< ??? [length 0005]

<<< TLS 1.2 ChangeCipherSpec [length 0001]

<<< ??? [length 0005]

<<< TLS 1.2 Handshake [length 0010], Finished

output of command openssl s_client -connect 127.0.0.1:443 -ssl3 -msg with SSLv3 disabled :-

>>> ??? [length 0005]

>>> SSL 3.0 Handshake [length 0099], ClientHello

<<< ??? [length 0005]

<<< SSL 3.0 Alert [length 0002], fatal handshake_failure

Output of command openssl s_client -connect 127.0.0.1:443 -tls1_2 -msg when SSLv3 is disabled :-

CONNECTED(00000003)
>>> ??? [length 0005]

>>> TLS 1.2 Handshake [length 0138], ClientHello

<<< ??? [length 0005]

>>> ??? [length 0005]

>>> TLS 1.0 Alert [length 0002], fatal protocol_version

SSL Debug Error Logs in Apache for command openssl s_client -connect 127.0.0.1:443 -tls1_2 -msg when SSLv3 is disabled :-

[Tue Nov 24 07:50:13.019993 2015] [ssl:info] [pid 6419] [client 127.0.0.1:32836] AH01964: Connection to child 2 established (server site1.example.com:443)
[Tue Nov 24 07:50:13.023693 2015] [ssl:info] [pid 6419] [client 127.0.0.1:32836] AH02008: SSL library error 1 in handshake (server site1.example.com:443)
[Tue Nov 24 07:50:13.023752 2015] [ssl:info] [pid 6419] SSL Library Error: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version (SSL alert number 70)
[Tue Nov 24 07:50:13.023789 2015] [ssl:info] [pid 6419] [client 127.0.0.1:32836] AH01998: Connection closed to child 2 with abortive shutdown (server site1.example.com:443)

sslscan --no-failed "site1.domain.com" command result when SSLProtocol all -SSLv2 -SSLv3 is used in configuration:-

sslscan --no-failed "site1.domain.com" command result when SSLProtocol all -SSLv2 -SSLv3 is not used in configuration:-

Both the results shows no sign of TLSv1.2 protocol. I think sslscan only scan for SSLv3 and TLSv1.1 protocol. Not TLSv1.2 Now when I tested this result on SSLLab with SSLProtocol all -SSLv2 -SSLv3 is not used in configuration then :-

It says TLSv1.2 is enable.

Answer 1

Add this below line & check
SSLProtocol all -SSLv2 -SSLv3 +TLSv1.2

Answer 2

Along with SSLProtocol -all +TLSv1.2

Edit the following "SSLCipherSuite" in /etc/apache2/mods-available/ssl.conf.

from: SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 to:
SSLCipherSuite EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \\ EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \\ EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS