First of all disable SSLv3 on your browser before fixing your server.
If you have Chrome/Firefox updated you can use newer protocols like TLSv1 or above. If you have Internet Explorer equal or lower than IE7 than you need to upgrade or use another browser/operating system...
Check if your server is vulnerable:
openssl s_client -connect www.acquia.com:443 -ssl3
You are not using SSLv3 and not vulnerable, if you get, something like:
CONNECTED(00000003)
12721:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1099:SSL alert number 40
12721:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:536:
If you get the cert, you are probably vulnerable, and you should disable SSLv3 now!
In case you really need SSLv3 there is patch that circumvents the downgrade attack of TLSv1: http://marc.info/?l=openssl-dev&m=141333049205629&w=2 (TLS Fallback SCSV), but since SSLv3 is very old it should really not be used at all.
Fix is simple:
Disable SSLv3 on all of your webservers!
Examples for Ubuntu/Debian Linux
Apache:
Change file /etc/apache2/mods-available/ssl.conf with SSLProtocol line to:
SSLProtocol all -SSLv2 -SSLv3
or
sed -i 's/SSLProtocol all -SSLv2$/SSLProtocol all -SSLv2 -SSLv3/g' /etc/apache2/mods-available/ssl.conf
Restart:
sudo service apache2 restart
Nginx:
Change all site files with "ssl_protocols" line to:
/etc/nginx# grep -rn ssl_protocols *
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Restart:
sudo service nginx restart
Postfix:
To change /etc/postfix/main.cnf file run this:
postconf -e smtpd_tls_protocols='!SSLv2,!SSLv3
postconf -e smtpd_tls_mandatory_protocols='!SSLv2,!SSLv3'
Restart:
sudo service postfix restart
Tomcat:
Update /etc/tomcat7/server.xml file with "sslProtocol" line to:
sslProtocol="TLS" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA" sslEnabledProtocols="TLSv1"
Restart:
sudo /etc/init.d/tomcat7 restart
Advisories update:
https://access.redhat.com/articles/1232123
http://aws.amazon.com/jp/security/security-bulletins/CVE-2014-3566-adviā¦
http://marc.info/?l=openssl-dev&m=141333049205629&w=2
- Log in to post comments