A recently reported vulnerability in the SSL v3 protocol can be exploited by a man-in-the-middle to extract parts of the plaintext transmission that was encrypted by HTTPS. Google has published a detailed explanation on how this attacked could be executed.
This is a vulnerability in the design of the SSL v3 protocol when using block cipheres. As an alternate stream ciphers also show weaknesses, the only measure is to disable SSLv3 in your webservers configuration.
How to test for SSL POODLE vulnerability?
openssl s_client -connect example.com:443 -ssl3
Replace example.com with your SSL domain. If there is a handshake failure, then the server is not supporting SSLv3 and it is secure from this vulnerability. Otherwise it is required to disable SSLv3 support.
Disable SSLv3 in Apache
If you are running an Apache web server that currently allows SSLv3, you will need to edit the Apache configuration.
On Debian and Ubuntu the systems file is /etc/apache2/mods-available/ssl.conf
On CentOS and Fedora the file is /etc/httpd/conf.d/ssl.conf
You will need to add the following line to your Apache configuration with other SSL directives.
SSLProtocol All -SSLv2 -SSLv3
apachectl configtestYou will then need to restart your Apache web server. On Ubuntu and Debian:
sudo service apache2 restartOn CentOS and Fedora:
systemctl restart httpd
If you are running an NGINX web server, you'll need to edit the NGINX configuration file. nginx.conf. This can be found in /etc/nginx/nginx.conf. You wil need to add hte following line to your server directive:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
sudo service nginx restart
Please submit a ticket via email@example.com or within your client.wizzsolutions.com if you would like help patching your server for this vulnerability.
WizzSolutions Security Team
source: http://nginx.com/blog/nginx-poodle-ssl/, http://blog.adityapatawari.com/2014/10/how-to-check-for-ssl-poodle-sslv3-bug.html, https://linode.com/docs/security/security-patches/disabling-sslv3-for-poodle