Enable SSL debug on Apache and check if your clients are using SSLv3, you will get the protocol+cipher used for each HTTPS request:
CustomLog /tmp/apache_ssl.log "%v %a %{SSL_PROTOCOL}x %{SSL_CIPHER}x"
Tip: see mod_ssl documentation if you need other SSL environment variables.
If possible, disable SSLv3 on the web server:
- Apache:
SSLProtocol All -SSLv3 -SSLv2 - nginx:
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
Use external services to check and ensure SSLv3 is disabled:
ssl-enum-ciphers script for nmap can be used to discover valid SSLv3/TLS ciphers:
santisaez@ubuntu:~$ nmap --script ssl-enum-ciphers -p 443 twitter.com
(..)
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| SSLv3: No supported ciphers found
Red Hat has published a script to check if SSLv3 is enabled using "openssl" client:
#!/bin/bash
ret=$(echo Q | timeout 5 openssl s_client -connect "${1-`hostname`}:${2-443}" -ssl3 2> /dev/null)
if echo "${ret}" | grep -q 'Protocol.*SSLv3'; then
if echo "${ret}" | grep -q 'Cipher.*0000'; then
echo "SSL 3.0 disabled"
else
echo "SSL 3.0 enabled"
fi
else
echo "SSL disabled or other error"
fi
Useful links: