POODLE (Padding Oracle On Downgraded Legacy Encryption) is a vulnerability that was found on October 14th, 2014, which allows an attacker to read any encrypted information using the SSLv3 protocol by performing a man-in-the-middle attack. Although many programs use SSLv3 as a fallback, it has come to the point where it should be disabled – as many clients can be forced into using SSLv3. Forcing a client into SSLv3 increases the chance of an attack taking place. This article will show you how to disable SSLv3 in select software applications that are commonly used today.<\/p>\n
Head to the configuration file where your server information is stored. For example,\u00a0 This will enforce the use of TLS, thus disabling SSLv3 (and any older or obsolete protocols). Now restart your Nginx server by running one of the following commands.<\/p>\n CentOS 7<\/strong>:<\/p>\n Ubuntu\/Debian<\/strong>:<\/p>\n To disable SSLv3, head to your module configuration directory for Apache. On Ubuntu\/Debian it may be\u00a0 Once finished, save, then restart your server by running one of the following commands.<\/p>\n For Ubuntu\/Debian run:<\/p>\n CentOS 7<\/strong>:<\/p>\n Ubuntu\/Debian<\/strong>:<\/p>\n Head to your\u00a0 This will force TLSv1.1 and TLSv1.2 to be enabled and used on your Postfix server. Once done, save and restart.<\/p>\n CentOS 7<\/strong>:<\/p>\n Ubuntu\/Debian<\/strong>:<\/p>\n Open the file located at\u00a0 Once done, save and restart Dovecot.<\/p>\n CentOS 7<\/strong>:<\/p>\n Ubuntu\/Debian<\/strong>:<\/p>\n To verify that SSLv3 is disabled on your web server, run the following command (replace domain and IP accordingly):<\/p>\n You will see output similar to the following:<\/p>\n If you want to confirm that your server is using TLS, run the same command but without\u00a0 You should see similar information displayed. Locate the\u00a0\/etc\/nginx\/sites-enabled\/ssl.example.com.conf<\/code>\u00a0(replacing the path accordingly to your configuration). Within the file, look for\u00a0
ssl_protocols<\/code>. Make sure this line exists, and matches the following:<\/p>\n
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;\r\n<\/code><\/pre>\n
systemctl restart nginx \r\n<\/code><\/pre>\n
service nginx restart\r\n<\/code><\/pre>\n
Disabling SSLv3 on Apache<\/h3>\n
\/etc\/apache2\/mod-available<\/code>. Whereas on CentOS, it may be located in\u00a0
\/etc\/httpd\/conf.d<\/code>. Look for the\u00a0
ssl.conf<\/code>\u00a0file. Open\u00a0
ssl.conf<\/code>\u00a0and find the\u00a0
SSLProtocol<\/code>\u00a0directive. Make sure this line exists, and matches the following:<\/p>\n
SSLProtocol all -SSLv3 -SSLv2\r\n<\/code><\/pre>\n
systemctl restart httpd\r\n<\/code><\/pre>\n
service apache2 restart\r\n<\/code><\/pre>\n
Disabling SSLv3 on Postfix<\/h3>\n
postfix<\/code>\u00a0directory. It is typically\u00a0
\/etc\/postfix\/<\/code>. Open up the\u00a0
main.cf<\/code>\u00a0file and look for\u00a0
smtpd_tls_mandatory_protocols<\/code>. Make sure this line exists, and matches the following:<\/p>\n
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, TLSv1, TLSv1.1, TLSv1.2\r\n<\/code><\/pre>\n
systemctl restart postfix\r\n<\/code><\/pre>\n
service postfix restart\r\n<\/code><\/pre>\n
Disabling SSLv3 on Dovecot<\/h3>\n
\/etc\/dovecot\/conf.d\/10-ssl.conf<\/code>. Then, find the line that contains\u00a0
ssl_protocols<\/code>\u00a0and make sure it matches the following:<\/p>\n
ssl_protocols = !SSLv2 !SSLv3 TLSv1.1 TLSv1.2\r\n<\/code><\/pre>\n
systemctl restart dovecot\r\n<\/code><\/pre>\n
service dovecot restart\r\n<\/code><\/pre>\n
Testing that SSLv3 is Disabled<\/h3>\n
openssl s_client -servername example.com -connect 0.0.0.0:443 -ssl3\r\n<\/code><\/pre>\n
CONNECTED(00000003)\r\n140060449216160:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1260:SSL alert number 40\r\n140060449216160:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:\r\n---\r\nno peer certificate available\r\n---\r\nNo client certificate CA names sent\r\n---\r\nSSL handshake has read 7 bytes and written 0 bytes\r\n---\r\nNew, (NONE), Cipher is (NONE)\r\nSecure Renegotiation IS NOT supported\r\nCompression: NONE\r\nExpansion: NONE\r\nSSL-Session:\r\n Protocol : SSLv3\r\n Cipher : 0000\r\n Session-ID: \r\n Session-ID-ctx: \r\n Master-Key: \r\n Key-Arg : None\r\n PSK identity: None\r\n PSK identity hint: None\r\n SRP username: None\r\n Start Time: 1414181774\r\n Timeout : 7200 (sec)\r\n Verify return code: 0 (ok)\r\n<\/code><\/pre>\n
-ssl3<\/code>:<\/p>\n
openssl s_client -servername example.com -connect 0.0.0.0:443\r\n<\/code><\/pre>\n
Protocol<\/code>\u00a0line and confirm that it is using\u00a0
TLSv1.X<\/code>\u00a0(with X being 1 or 2 depending on your configuration). If you see this, then you have successfully disabled SSLv3 on your web server.<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","format":"standard","manualknowledgebasecat":[109,242,244],"manual_kb_tag":[399],"_links":{"self":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb\/2690"}],"collection":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb"}],"about":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/types\/manual_kb"}],"author":[{"embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/comments?post=2690"}],"version-history":[{"count":1,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb\/2690\/revisions"}],"predecessor-version":[{"id":2691,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb\/2690\/revisions\/2691"}],"wp:attachment":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/media?parent=2690"}],"wp:term":[{"taxonomy":"manualknowledgebasecat","embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manualknowledgebasecat?post=2690"},{"taxonomy":"manual_kb_tag","embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb_tag?post=2690"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}