SSLv3 and securing against Poodle

If you are using SSL in your web server, you probably want to read this.

Google recently published details about an attack that targets SSLv3.

The exploit first allows attackers to initiate a “downgrade dance” that tells the client that the server doesn’t support the more secure TLS (Transport Layer Security) protocol and forces it to connect via SSL 3.0. From there a man-in-the-middle attack can decrypt secure HTTP cookies. Google calls this the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack. [...] In other words, your data is no longer encrypted.

The default configuration for most web servers still allows SSLv3 and often also SSLv2. And other potentially weak ciphers. However it is easy to fix, and help protect your customers and their data at the same time.

For Apache the easiest method is to add "-SSLv3" to the SSLProtocol option. If you cant find that try the following line in the globabl apache config.

SSLProtocol All -SSLv2 -SSLv3

In Centos 6, check first in /etc/httpd/conf.d/ssl.conf. In Debian and Ubuntu check /etc/apache2/mods-enabled/ssl.conf. Remeber to restart apache after making the change.

You can test if your server allows SSLv3 connections online. Or if you prefer you can do that on the command line with something like the following, if SSLv3 is disabled you should get an error.

openssl s_client -connect yourdomaintotest.com:443 -ssl3

You may also want to look at explicitly disabling other weak protocols (eg  TLS v1.0) and bad ciphers that are avilable for fallback (eg  RC4). Make sure to test that your clients can still connect to your services. Some (very) old browsers, especially on mobile devices may have issues.

Do check other things that use SSL as well, for example your mail server may accept SSL connections.

Other references that may be useful:

https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html
http://nginx.com/blog/nginx-poodle-ssl/
https://access.redhat.com/articles/1232123
http://blog.ricardoamaro.com/content/poodle-sslv3-vulnerability-fix

If you need a hand with any of the topics discussed here, please open a support ticket and we can certainly help out.

Update: The following snippet should update most default configurations to disable SSLv3 in apache. However remember to check for the SSLProtocol directive in other (non-connonical) places in the apache configuration, in case those override the change.

if [ -e /etc/redhat-release ]; then 
  sed -i 's/SSLProtocol all.*/SSLProtocol All -SSLv2 -SSLv3/' /etc/httpd/conf.d/ssl.conf 
  service httpd restart
else 
  sed -i 's/SSLProtocol all.*/SSLProtocol All -SSLv2 -SSLv3/' /etc/apache2/mods-available/ssl.conf
  service apache2 restart 
fi

About Glenn Enright

Linux Systems Administrator at RimuHosting.com. I focus mainly on dedicated server provisioning with a sprinkling of network administration.
This entry was posted in Rimuhosting, Security and tagged , , , , , , , , . Bookmark the permalink.

2 Responses to SSLv3 and securing against Poodle

  1. Nenad Janjic says:

    Hello,
    thansk for very good post.

    How to turn off ssl on exim? to run only on TLS?

    Best regards

  2. Glenn Enright says:

    HI Nenda, we can surely help you set this up. Otherwise take a look at this link and make sure you have TLS enabled properly first, then disable SSL ciphers

    http://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html