Disable SSLv3 in Apache, Nginx and IIS against POODLE Vulnerability

You might have heard of latest vulnerability ( CVE­2014-3566 ) in SSLv3 which is nicknamed as POODLE, the ‘Padding Oracle On Downgraded Legacy Encryption’ attack. It is a new bug discovered by Google in the SSLv3 protocol. This allows an attacker to decipher the plain text content of an SSLv3 encrypted message. If a site supporting SSLv3, the attacker can force the client to use SSLv3 since web browsers fail at connecting to the latest SSL version ( TLS 1.0/1.1/1.2) during negotiation process. Any software or applications that are used to communicate with SSLv3 is vulnerable to this Poodlebleed. The easiest work around to this vulnerability is to disable the SSLv3 support on web server and in client browser respectively.

In this article, we will discuss how to disable it on Server Side.

Apache Web Server :

To disable SSLv3 support on the Apache web server, we need to tell SSLProtocol directive not to use SSLv3.

On Ubuntu, this can be done by editing the file /etc/apache2/mods-available/ssl.conf and configure it using the following.

SSLProtocol All -SSLv2 -SSLv3

On CentOS, the same thing can be done by editing the default ssl conf file located in /etc/httpd/conf.d/ssl.conf

Save and close the file. Restart the web service to take effect the change we have made.

Nginx Web Server :

Disabling SSLv3 support in Nginx is pretty easy. We need to add the following to the global configuration file /etc/nginx/nginx.conf in the server directive.

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

This will deactivate SSLv3 from being used on Nginx.

IIS Web Server :

Disabling SSLv3 on IIS need some registry tweaks and server reboot. What we need is to create a DWORD called “Enable” with value 0 in registry HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProvider\SCHANNEL\Protocols\SSL 3.0\Server key

Once done, a server reboot is needed to take effect.

Testing SSLv3 :

There are several ways to check whether SSLv3 is disabled or not. One easy method is to use OpenSSL command line.

openssl s_client -connect techdire.com:443 -ssl3

routines:SSL3_READ_BYTES:sslv3 alert handshake failure

If you see the above message, your site is not supported SSLv3 and is safe from this vulnerability.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts