Disabling SSLv3 for POODLE

Padding Oracle On Downgraded Legacy Encryption (POODLE) was released with the CVE identifier of CVE-2014-3566.

This vulnerability was discovered in SSL 3.0. This is different to the “HeartBleed” vulnerability which was discovered in OpenSSL.

SSL protocol 3.0 has a vulnerability in which CBC-modde ciphers allow “man in the middle” attacks through the use of padding-oracle stacks. This targets the ciphers and allows the retrieval of plain-text from what should otherwise be, encrypted information.

 

Impacts of Disabling SSLv3

For the most part, there is no impact for people in disabling SSLv3 due to the fact that the large majority of connections rely on TLS.

It is advisable to not only disable SSLv3 on server applications but also on home browsers like Chrome and Firefox.

 

How to Test for SSLv3

There are a number of ways to find out whether a service is running over SSL also allows SSLv3. The simplest method is to use the OpenSSL command line client and running the following command.

 

openssl s_client -connect example.com:443 -ssl3 Note: example.com is your domain or IP address and 443 is a port (replace with your own) Once you run the command, check for the following output:

routines:SSL3_READ_BYTES:sslv3 alert handshake failure

If you see the above then the domain or IP you have tested DOES NOT support SSLv3. It is safe.

Disabling SSLv3

Sadly, there isn’t a simple way to disable SSLv3. There isn’t any updates or patches that you need to install. The only way you can disable SSLv3 is to disable it in any application that uses it.

You are vulnerable to POODLE only if the browser and the server both support SSLv3. So if you disable it in your servers, you are also protecting your clients from this vulnerability.

To fix it from server side you will need to run the following commands.

Apache Users

Edit your configuration file /etc/httpd/conf.d/ssl.conf and update the following values. After you are finished, restart Apache service.

SSLProtocol all -SSLv3 -SSLv2

NGINX users

Edit your configuration file /etc/nginx/nginx.conf and update the following values. After you are finished, restart NGINX service.

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;