Patch your webservers for the SSLv3 POODLE vulnerability (CVE­-2014­-3566)

Want to help support this blog? Try out Oh Dear, the best all-in-one monitoring tool for your entire website, co-founded by me (the guy that wrote this blogpost). Start with a 10-day trial, no strings attached.

We offer uptime monitoring, SSL checks, broken links checking, performance & cronjob monitoring, branded status pages & so much more. Try us out today!

Profile image of Mattias Geniar

Mattias Geniar, October 15, 2014

Follow me on Twitter as @mattiasgeniar

First, read this: CVE­-2014­-3566.

Next: realise that the SSL vulnerability in SSLv3 isn’t limited to just webservers. It’s any client or server that uses the SSLv3 protocol: from SSL tunnels to encryption services to remote management interfaces.

Here’s how to apply a quick patch to Nginx and Apache to disable SSLv3 entirely. The current stats show about 0.5-3% of the internet still uses this (mostly Windows XP with IE6), and they will effectively be blocked out of using the HTTPs sites. But since both Windows XP and IE6 have long passed their maximum expiration date, I wouldn’t bother.

Internally at Nucleus, we had a brief discussion about this which eventually just ended in the following statement / conclusion.

Here’s the situation: SSLv3 has been found to have a major flaw, allowing the traffic to be decrypted (link)

SSLv3 is an 18y-old protocol that has flaws. If we disable the SSLv3 protocol, to fix this flaw, we effectively block any Windows XP user with IE6 from accessing the site. Windows XP with newer browsers (IE6+ or Firefox/Chrome) will not have any problem.

The “problem” is in the way SSL works: any browser can be tricked to downgrade the SSL connection from a secure TLS 1.2 to the old SSLv3. That includes any recent browser. So if we support SSLv3 for older Windows XP/IE6, we effectively make all other – modern – browsers vulnerable as well.

Here’s the million dollar question: can we disable SSLv3, knowing fully well we then block all Windows XP users with IE6 from accessing the site? Or should we still support SSLv3, effectively rendering SSL mostly useless for _all_ users on the site (because of the SSLv3 downgrade possibilities)?

To disable SSLv3, keeping in mind the comments made above, you can do so as shown below.

Nginx

Change this:

ssl_protocols               SSLv3 TLSv1 TLSv1.1 TLSv1.2;

To this:

ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;

Remove the support for SSLv3 in the Nginx cyphers. Then restart your Nginx service.

Apache

Add the following in your SSL configurations to disable support for older SSLv2 and SSLv3 protocols.

SSLProtocol All -SSLv2 -SSLv3

After the change, restart Apache to make the changes apply.



Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.