Patch your webservers for the SSLv3 POODLE vulnerability (CVE­-2014­-3566)

Mattias Geniar, Wednesday, October 15, 2014 - last modified: Thursday, November 13, 2014

First, read this: CVE­-2014­-3566.

Next: realise that the SSL vulnerability in SSLv3 isn't limited to just webservers. It's any client or server that uses the SSLv3 protocol: from SSL tunnels to encryption services to remote management interfaces.

Here's how to apply a quick patch to Nginx and Apache to disable SSLv3 entirely. The current stats show about 0.5-3% of the internet still uses this (mostly Windows XP with IE6), and they will effectively be blocked out of using the HTTPs sites. But since both Windows XP and IE6 have long passed their maximum expiration date, I wouldn't bother.

Internally at Nucleus, we had a brief discussion about this which eventually just ended in the following statement / conclusion.

Here's the situation: SSLv3 has been found to have a major flaw, allowing the traffic to be decrypted (link)

SSLv3 is an 18y-old protocol that has flaws. If we disable the SSLv3 protocol, to fix this flaw, we effectively block any Windows XP user with IE6 from accessing the site. Windows XP with newer browsers (IE6+ or Firefox/Chrome) will not have any problem.

The "problem" is in the way SSL works: any browser can be tricked to downgrade the SSL connection from a secure TLS 1.2 to the old SSLv3. That includes any recent browser. So if we support SSLv3 for older Windows XP/IE6, we effectively make all other -- modern -- browsers vulnerable as well.

Here's the million dollar question: can we disable SSLv3, knowing fully well we then block all Windows XP users with IE6 from accessing the site? Or should we still support SSLv3, effectively rendering SSL mostly useless for _all_ users on the site (because of the SSLv3 downgrade possibilities)?

To disable SSLv3, keeping in mind the comments made above, you can do so as shown below.

Nginx

Change this:

ssl_protocols               SSLv3 TLSv1 TLSv1.1 TLSv1.2;

To this:

ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;

Remove the support for SSLv3 in the Nginx cyphers. Then restart your Nginx service.

Apache

Add the following in your SSL configurations to disable support for older SSLv2 and SSLv3 protocols.

SSLProtocol All -SSLv2 -SSLv3

After the change, restart Apache to make the changes apply.



Hi! My name is Mattias Geniar. I'm a Support Manager at Nucleus Hosting in Belgium, a general web geek & public speaker. Currently working on DNS Spy & Oh Dear!. Follow me on Twitter as @mattiasgeniar.

Share this post

Did you like this post? Will you help me share it on social media? Thanks!

Comments

Stéphan Wednesday, October 15, 2014 at 14:15 - Reply

The answer should be simple:
If nobody starts denying access to those reluctant to update, they will never update.

In order to prevent them (non-upgraders) from becoming their own victim, we have to set the bar.
This bar should’ve been set years ago anyway..


Scott Helme Thursday, October 16, 2014 at 02:07 - Reply

If users or site owners do want to completely remove support for SSLv3, I’ve written a blog detailing the steps for the most common server platforms (NginX, Apache, IIS) and browsers (Chrome, Firefox, Internet Explorer): http://scotthel.me/poodle


Leave a Reply

Your email address will not be published. Required fields are marked *

Inbound links