Vulnerability SSLv3 POODLE
HOW TO PROTECT YOUR SERVERThe easiest and most robust solution to POODLE is to disable SSLv3 support on your server. APACHETo disable SSLv3 on your Apache server you need to edit 'SSLProtocol' string in Apache and virtualhosts config files (located in /etc/apache2/ или /etc/httpd/) to get the following: SSLProtocol All -SSLv2 -SSLv3
This will give you support for TLSv1.0, TLSv1.1 and TLSv1.2, but explicitly removes support for SSLv2 and SSLv3. Check the config and then restart Apache with commands: apachectl configtest
sudo service apache2 restart NGINXDisabling SSLv3 support on NginX is also really easy. Find its config file and virtualhosts configs (they are located in /etc/nginx/) and edit the required string in the following way: ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Similar to the Apache config above, you will get TLSv1.0+ support and no SSL. You can check the config and restart. sudo nginx -t
sudo service nginx restart IISThis one requires some registry changes and a server reboot. Microsoft have a support article with the required information. All you need to do is modify/create a registry DWORD value. HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols
Сreate SSL 3.0 alongside it if needed. Under that create a Server key and inside there a DWORD value called Enabled with value 0. Once that's done reboot the server for the changes to take effect. HOW TO CHECK YOUR SERVERThe easiest and probably the most widespread method to test your server's SSL configuration is the Qualys SSL Test. Please follow the link above, enter the domain name of the site, hosted on the server you would like to check and hit submit to start testing. Once the test is finished, look at the Configuration section at server's supported protocols. The expected result is that you have no SSL protocols supported. Supporting TLSv1.0 or better is good enough to support the absolute vast majority of internet users without exposing them to unnecessary risk. HOW TO PROTECT YOUR BROWSERIt is also possible to protect yourself from POODLE by disabling SSLv3 support in your browser. FIREFOXFirefox users can type CHROMEChrome users can add the command line flag --ssl-version-min=tls1 to enforce the use of TLS and prevent any connection using the SSL protocol. In Windows, right click on your Chrome shortcut, hit Properties and add the command line flag as seen in the image below. If you use Google Chrome on Mac, Linux, Chrome OS or Android, you can follow these instructions here. INTERNET EXPLORERFixing up Internet Explorer is also pretty easy. Go to Settings, Internet Options and click on the Advanced tab. Scroll down until you see the Use SSL 3.0 checkbox and uncheck it. HOW TO CHECK YOUR BROWSERThere's also the Qualys SSL Client Test to see what your browser supports. Information taken from the site https://scotthelme.co.uk/ and presented in a compressed form. VPS.us team is grateful to the author. |