If you are using SSL in your web server, you probably want to read this.
Google recently published details about an attack that targets SSLv3.
The exploit first allows attackers to initiate a “downgrade dance” that tells the client that the server doesn’t support the more secure TLS (Transport Layer Security) protocol and forces it to connect via SSL 3.0. From there a man-in-the-middle attack can decrypt secure HTTP cookies. Google calls this the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack. […] In other words, your data is no longer encrypted.
The default configuration for most web servers still allows SSLv3 and often also SSLv2. And other potentially weak ciphers. However it is easy to fix, and help protect your customers and their data at the same time.
For Apache the easiest method is to add “-SSLv3” to the SSLProtocol option. If you cant find that try the following line in the globabl apache config.
SSLProtocol All -SSLv2 -SSLv3
In Centos 6, check first in /etc/httpd/conf.d/ssl.conf. In Debian and Ubuntu check /etc/apache2/mods-enabled/ssl.conf. Remeber to restart apache after making the change.
You can test if your server allows SSLv3 connections online. Or if you prefer you can do that on the command line with something like the following, if SSLv3 is disabled you should get an error.
openssl s_client -connect yourdomaintotest.com:443 -ssl3You may also want to look at explicitly disabling other weak protocols (eg TLS v1.0) and bad ciphers that are avilable for fallback (eg RC4). Make sure to test that your clients can still connect to your services. Some (very) old browsers, especially on mobile devices may have issues.
Do check other things that use SSL as well, for example your mail server may accept SSL connections.
Other references that may be useful:
https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ http://httpd.apache.org/docs/2.2/mod/mod_ssl.html http://nginx.com/blog/nginx-poodle-ssl/ https://access.redhat.com/articles/1232123 http://blog.ricardoamaro.com/content/poodle-sslv3-vulnerability-fix
If you need a hand with any of the topics discussed here, please open a support ticket and we can certainly help out.
Update: The following snippet should update most default configurations to disable SSLv3 in apache. However remember to check for the SSLProtocol directive in other (non-connonical) places in the apache configuration, in case those override the change.
if [ -e /etc/redhat-release ]; then sed -i 's/SSLProtocol all.*/SSLProtocol All -SSLv2 -SSLv3/' /etc/httpd/conf.d/ssl.conf service httpd restart else sed -i 's/SSLProtocol all.*/SSLProtocol All -SSLv2 -SSLv3/' /etc/apache2/mods-available/ssl.conf service apache2 restart fi
2 responses to “SSLv3 and securing against Poodle”
Hello,
thansk for very good post.
How to turn off ssl on exim? to run only on TLS?
Best regards
HI Nenda, we can surely help you set this up. Otherwise take a look at this link and make sure you have TLS enabled properly first, then disable SSL ciphers
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html