Knowledgebase

Vulnerability SSLv3 POODLE

HOW TO PROTECT YOUR SERVER

The easiest and most robust solution to POODLE is to disable SSLv3 support on your server. 

APACHE

To disable SSLv3 on your Apache server you need to edit 'SSLProtocol' string in Apache and virtualhosts config files (located in /etc/apache2/ или /etc/httpd/) to get the following:

SSLProtocol All -SSLv2 -SSLv3

This will give you support for TLSv1.0, TLSv1.1 and TLSv1.2, but explicitly removes support for SSLv2 and SSLv3. Check the config and then restart Apache with commands:

apachectl configtest
sudo service apache2 restart

NGINX

Disabling SSLv3 support on NginX is also really easy. Find its config file and virtualhosts configs (they are located in /etc/nginx/) and edit the required string in the following way:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Similar to the Apache config above, you will get TLSv1.0+ support and no SSL. You can check the config and restart.

sudo nginx -t
sudo service nginx restart

IIS

This one requires some registry changes and a server reboot. Microsoft have a support article with the required information. All you need to do is modify/create a registry DWORD value.

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols

Сreate SSL 3.0 alongside it if needed. Under that create a Server key and inside there a DWORD value called Enabled with value 0. Once that's done reboot the server for the changes to take effect.

Poodle_1.jpg

HOW TO CHECK YOUR SERVER

The easiest and probably the most widespread method to test your server's SSL configuration is the Qualys SSL Test. Please follow the link above, enter the domain name of the site, hosted on the server you would like to check and hit submit to start testing.

Once the test is finished, look at the Configuration section at server's supported protocols.

The expected result is that you have no SSL protocols supported. Supporting TLSv1.0 or better is good enough to support the absolute vast majority of internet users without exposing them to unnecessary risk.

HOW TO PROTECT YOUR BROWSER

It is also possible to protect yourself from POODLE by disabling SSLv3 support in your browser.

FIREFOX

Firefox users can type about:config into their address bar and then security.tls.version.min into the search box. This will bring up the setting that needs to be changed from 0 to 1.

Poodle_2.jpg

CHROME

Chrome users can add the command line flag --ssl-version-min=tls1 to enforce the use of TLS and prevent any connection using the SSL protocol. In Windows, right click on your Chrome shortcut, hit Properties and add the command line flag as seen in the image below.

Poodle_3.jpg

If you use Google Chrome on Mac, Linux, Chrome OS or Android, you can follow these instructions here.

INTERNET EXPLORER

Fixing up Internet Explorer is also pretty easy. Go to Settings, Internet Options and click on the Advanced tab. Scroll down until you see the Use SSL 3.0 checkbox and uncheck it.

Poodle_4.jpg

HOW TO CHECK YOUR BROWSER

There's also the Qualys SSL Client Test to see what your browser supports.

Information taken from the site https://scotthelme.co.uk/ and presented in a compressed form. VPS.us team is grateful to the author.

Looking for a cheap XEN VPS? We offer VPS servers with different types of virtualization and management options in the USA and Netherlands at reasonable prices.
Also Read

Language:

Quick Navigation

Client Login

Email

Password

Remember Me

Search