server has no ssl.conf file

Latest response

The resolution for the POODLE vulnerability says to disable SSLv3 (and SSLv2 if not already) in the /etc/httpd/conf.d/ssl.conf file. I have 3 RHEL servers, all version 5.11, with Apache/2.2.3. The all have the following:
[root@ctc366a httpd]# pwd
/etc/httpd
[root@ctc366a httpd]# ll
total 8
drwxr-xr-x 7 root root 4096 Sep 24 11:52 conf
drwxr-xr-x 2 root root 4096 Oct 15 13:42 conf.d
lrwxrwxrwx 1 root root 19 Sep 24 11:52 logs -> ../../var/log/httpd
lrwxrwxrwx 1 root root 27 Sep 24 11:52 modules -> ../../usr/lib/httpd/modules
lrwxrwxrwx 1 root root 13 Sep 24 11:52 run -> ../../var/run
[root@ctc366a httpd]#

with the httpd.conf file under /etc/httpd/conf, and 2 of them have ssl.conf file under /etc/httpd/conf.d, but the third does not. It does not have ssl.conf file anywhere, and it does not appear to have the SSLProtocol directive in any other file. I don't know why. Can I copy the ssl.conf file from the most similar server and put it onto the server that does not have one, so I can disable the SSLv3?
Thanks!
Julie

JD
Log in to join the conversation

Responses

JD Community Member 42 points
22 October 2014 4:06 PM

I did apply yum updates to the server and there were 4 updates for openssl, but I do not know if this is enough to secure the server from this vulnerability, or if I need to have the SSLProtocol directive specified as well.

PS Guru 6494 points
23 October 2014 10:50 PM

If you have residual concerns about a website and the website is public facing, I recommend scanning it with the Qualys SSL labs test here:
https://www.ssllabs.com/ssltest/

They have recently updated the test to include checks for the Poodle vulnerability.

JD Community Member 42 points
24 October 2014 3:10 PM

Actually there is no website on this server, it is used for back-end data crunching. So I think it is OK. Thank you for the suggestion, I tried the test on one of our websites -- very thorough test!

Mister 513th's picture Active Contributor 223 points
24 October 2014 4:26 PM

If you don't have the ssl.conf file for httpd, then you did not install that module and you're proabably not dishing out secured web pages, if at all.

JD Community Member 42 points
24 October 2014 4:55 PM

Yes, we figured out later (after I posted the question), that somehow mod_ssl had not been installed on this server -- we thought it was since we have it on all our other servers. But as I said, there is no website on this server, so unsecured web pages is not a concern. Thank you.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.