Information
The Apache 'SSLProtocol' directive specifies the SSL and TLS protocols allowed. Both the SSLv2 and the SSLv3 protocols should be disabled in this directive because they are outdated and vulnerable to information disclosure. Only TLS protocols should be enabled.
Rationale:
The SSLv2 and SSLv3 protocols are flawed and shouldn't be used, as they are subject to man-in-the-middle attacks and other cryptographic attacks. The TLSv1 protocols should be used instead, and the newer TLS protocols are preferred.
Solution
Perform the following to implement the recommended state:
Search the Apache configuration files for the SSLProtocol directive. Add the directive if not present or change the value to match one of the following values. The first setting 'TLS1.2' is preferred when it is acceptable to also disable the TLSv1.0 and TLSv1.1 protocols. See the level 2 recommendation 'Ensure the TLSv1.0 and TLSv1.1 Protocols are Disabled' for details.
SSLProtocol TLS1.2
SSLProtocol TLSv1