Posted on Leave a comment

Disable SSLv3 support for Apache

In case you haven’t disabled support for SSLv3 for Apache yet – do so now! You can easily disable SSLv3 using your Apache configuration httpd.conf using the option -SSLv3:

SSLHonorCipherOrder on
SSLProtocol -ALL -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

As always, make sure to restart Apache afterwards. Note that depending on your setup you might need to set the list of supported protocols for each vhost entry separately.

Test your configuration

Test your site’s security status to conform to best practice

  1. certificates
  2. protocol support
  3. key exchange
  4. cipher strength

at Qualys SSLLabs. SSL Analyzer. This tool will check various parameters and provide you with an overall rating: Qualys SSL Lab Test Results

Posted on Leave a comment

Fixing Magento error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Magento Logo

This is just a quick fix post in case you are experiencing the error

error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Magento SSLv3 Connect Error Check file downloader/lib/Mage/HTTP/Client/Curl.php for a proper secure transportation protocol supported by Magento Connect (SSLv3 vs. TLSv1):

$this->curlOption(CURLOPT_URL, $uri);
$this->curlOption(CURLOPT_SSL_VERIFYPEER, FALSE);
$this->curlOption(CURLOPT_SSL_VERIFYHOST, 2);

Solution

In order to overcome this error simply add the cUrl option TLSV1:

$this->curlOption(CURLOPT_SSL_CIPHER_LIST, 'TLSv1');

Background info

Magento Connect (finally) canceled support for SSLv3. Thus, when Magento downloader tries to communicate with Magento Connect server it fails due to incompatible security protocols. You can easily fix this error by specifying TLSv1 as alternative security protocol.