• ATTENTION: POODLE: SSLv3 vulnerability (CVE-2014-3566)

    October 16, 2014 by Michael K
  • A recently reported vulnerability in the SSL v3 protocol can be exploited by a man-in-the-middle to extract parts of the plaintext transmission that was encrypted by HTTPS. Google has published a detailed explanation on how this attacked could be executed.

    This is a vulnerability in the design of the SSL v3 protocol when using block cipheres. As an alternate stream ciphers also show weaknesses, the only measure is to disable SSLv3 in your webservers configuration.

    How to test for SSL POODLE vulnerability?

    openssl s_client -connect example.com:443 -ssl3

    Replace example.com with your SSL domain. If there is a handshake failure, then the server is not supporting SSLv3 and it is secure from this vulnerability. Otherwise it is required to disable SSLv3 support.

    Disable SSLv3 in Apache

    If you are running an Apache web server that currently allows SSLv3, you will need to edit the Apache configuration.
    On Debian and Ubuntu the systems file is /etc/apache2/mods-available/ssl.conf
    On CentOS and Fedora the file is /etc/httpd/conf.d/ssl.conf 

    You will need to add the following line to your Apache configuration with other SSL directives. 

    SSLProtocol All -SSLv2 -SSLv3

    This will allow all protocols except SSL v2 and SSLv3. You can test your configuration change with the command:

    apachectl configtest
    You will then need to restart your Apache web server. On Ubuntu and Debian: 

    sudo service apache2 restart
    On CentOS and Fedora:

    systemctl restart httpd

    Disable SSLv3 in NGINX

    If you are running an NGINX web server, you'll need to edit the NGINX configuration file. nginx.conf. This can be found in /etc/nginx/nginx.conf. You wil need to add hte following line to your server directive:

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    

    This will deactivate SSLv3 from being used. You will need to restart your nginx server after:

    sudo service nginx restart

    Please submit a ticket via support@wizzsolutions.com or within your client.wizzsolutions.com if you would like help patching your server for this vulnerability.

    WizzSolutions Security Team


    source: http://nginx.com/blog/nginx-poodle-ssl/http://blog.adityapatawari.com/2014/10/how-to-check-for-ssl-poodle-sslv3-bug.html, https://linode.com/docs/security/security-patches/disabling-sslv3-for-poodle 

Powered by