POODLE SSLv3 Vulnerability Fix!

Submitted by ricardo on Wed, 10/15/2014 - 11:21

First of all disable SSLv3 on your browser before fixing your server.

If you have Chrome/Firefox updated you can use newer protocols like TLSv1 or above. If you have Internet Explorer equal or lower than IE7 than you need to upgrade or use another browser/operating system...

Check if your server is vulnerable:

openssl s_client -connect www.acquia.com:443 -ssl3
You are not using SSLv3 and not vulnerable, if you get, something like:
CONNECTED(00000003) 12721:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1099:SSL alert number 40 12721:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:536:

If you get the cert, you are probably vulnerable, and you should disable SSLv3 now!

In case you really need SSLv3 there is patch that circumvents the downgrade attack of TLSv1: http://marc.info/?l=openssl-dev&m=141333049205629&w=2 (TLS Fallback SCSV), but since SSLv3 is very old it should really not be used at all.

Fix is simple:

Disable SSLv3 on all of your webservers!

Examples for Ubuntu/Debian Linux

Apache:

Change file /etc/apache2/mods-available/ssl.conf with SSLProtocol line to:
SSLProtocol all -SSLv2 -SSLv3
or
sed -i 's/SSLProtocol all -SSLv2$/SSLProtocol all -SSLv2 -SSLv3/g' /etc/apache2/mods-available/ssl.conf
Restart:
sudo service apache2 restart

Nginx:

Change all site files with "ssl_protocols" line to:
/etc/nginx# grep -rn ssl_protocols *
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Restart:
sudo service nginx restart

Postfix:

To change /etc/postfix/main.cnf file run this:
postconf -e smtpd_tls_protocols='!SSLv2,!SSLv3 postconf -e smtpd_tls_mandatory_protocols='!SSLv2,!SSLv3'
Restart:
sudo service postfix restart

Tomcat:

Update /etc/tomcat7/server.xml file with "sslProtocol" line to:
sslProtocol="TLS" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA" sslEnabledProtocols="TLSv1"
Restart:
sudo /etc/init.d/tomcat7 restart

Advisories update:
https://access.redhat.com/articles/1232123
http://aws.amazon.com/jp/security/security-bulletins/CVE-2014-3566-advi…
http://marc.info/?l=openssl-dev&m=141333049205629&w=2

Log in to post comments

Powered by Drupal