HostMonster Web Hosting Help
Disable SSLv3 on a VPS or Dedicated Server
This article will explain how to disable SSLv3 on a VPS or Dedicated server. This can help you avoid issues with vulnerabilities in SSLv3.
Click on any of the sections to jump to that point in the guide.
- What You Need
- Login to the WHM
- Open the Apache Settings
- Change the SSL Cipher and Protocol Settings
- Test the Configuration
What You Need
- The password for the root user on your server.
Login to the WHM
You will need to be able to login to WHM on your server. This requires knowing the root password for your server. If you don't know the root password or haven't set one up, please see https://my.HostMonster.com/hosting/help/whm-login#root-password.
- Login to the WHM by going to yourdomain.com/whm in a browser. Replace yourdomain.com with your domain name.
- Once you get to the login page, enter your username and password.
- Username will be root.
- Password will be the root password for your server. If you don't know the root password or haven't set one up, please see https://my.HostMonster.com/hosting/help/whm-login#root-password.
- You may see a page titled "Feature Showcase". If so, click on Exit to WHM at the bottom of the page.
Open the Apache Settings
- In the search bar at the top left of the WHM, type "Apache".
- In the search results, click on "Apache Configuration".
Change the SSL Cipher and Protocol Settings
- On Apache Configuration page, click on Global Configuration
The first option should be SSL Cipher Suite, Select the 3rd option then copy this text into the box:
- Under SSL/TLS Protocols, make sure the default setting, All -SSLv2 -SSLv3 is selected.
- Scroll to the bottom of the page and click the Save button.
- Click the Rebuild Configuration and Restart Apache button.
Note: After following these steps it may be necessary to add "Options +FollowSymLinks" to the .htaccess file for your site.
Test the Configuration
To test that SSL is disabled you run this command:
curl -IL –sslv3 https://domain.com
Note: replace domain.com with the domain for your site.
If SSLv3 has been disabled you should see a message like this:
curl: (35) error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure