Knowledgebase

SSLv3 POODLE Vulnerability

HOW TO PROTECT YOUR SERVER

The easiest and most robust solution to POODLE is to disable SSLv3 support on your server. 

APACHE

To disable SSLv3 on your Apache server you need to open configuration files of the web-server and virtualhosts (located in /etc/apache2/ or /etc/httpd/) and edit stirng 'SSLProtocol' in the following way:

SSLProtocol All -SSLv2 -SSLv3

This will give you support for TLSv1.0, TLSv1.1 and TLSv1.2, but explicitly removes support for SSLv2 and SSLv3. Check the config and then restart Apache:

apachectl configtest
sudo service apache2 restart

NGINX

Disabling SSLv3 support on NginX is also really easy. Configuration files of the webserver and virtualhosts are located in /etc/nginx/. Find the required setting and edit it to get the following:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Similar to the Apache config above, you will get TLSv1.0+ support and no SSL. You can check the config and restart.

sudo nginx -t
sudo service nginx restart

IIS

This one requires some registry changes and a server reboot. Microsoft have a support article with the required information. All you need to do is modify/create a registry DWORD value.

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols

Сreate SSL 3.0 alongside it if needed. Under that create a Server key and inside there a DWORD value called Enabled with value 0. Once that's done reboot the server for the changes to take effect.

Poodle_1.jpg

HOW TO CHECK YOUR SERVER

The easiest and probably the most widely used method to test your SSL setup is the Qualys SSL Test. Simply navigate to the site, enter the domain for the website you want to test and hit submit to start the test.

Once the test has finished, you need to look in the Configuration section at your supported protocols.

What you want to see here is that you have no SSL protocols supported. Supporting TLSv1.0 or better is good enough to support the absolute vast majority of internet users out there without exposing anyone to unnecessary risk.

HOW TO PROTECT YOUR BROWSER

It is also possible to protect yourself from POODLE by disabling SSLv3 support in your browser.

FIREFOX

Firefox users can type about:config into their address bar and then security.tls.version.min into the search box. This will bring up the setting that needs to be changed from 0 to 1.

Poodle_2.jpg

CHROME

Chrome users can add the command line flag --ssl-version-min=tls1 to enforce the use of TLS and prevent any connection using the SSL protocol. In Windows, right click on your Chrome shortcut, hit Properties and add the command line flag as seen in the image below.

Poodle_3.jpg

If you use Google Chrome on Mac, Linux, Chrome OS or Android, you can follow these instructions here.

INTERNET EXPLORER

Fixing up Internet Explorer is also pretty easy. Go to Settings, Internet Options and click on the Advanced tab. Scroll down until you see the Use SSL 3.0 checkbox and uncheck it.

Poodle_4.jpg

HOW TO CHECK YOUR BROWSER

There's also the Qualys SSL Client Test to see what your browser supports.

Information taken from the site https://scotthelme.co.uk/ and presented in a compressed form. Sitevalley.com team is grateful to the author.

Also Read

Language:

Quick Navigation

Client Login

Email

Password

Remember Me

Search