Home / Linux  / How To Protect Server from POODLE SSLv3 Vulnerability

How To Protect Server from POODLE SSLv3 Vulnerability

Vulnerability SSLv3 POODLE

Here we are going to discuss about ( CVE-2014-3566 ) . After Heart bleed bug and BEAST attack , now we have heard about new . The vulnerability is a puniness in SSL version 3 that will allow attacker in a man-in-the-middle context to decipher the plain text content of an encrypted message.
Now we are going to protect piece of software that can be involve with SSLv3. Here we are going to protect some common applications like Nginx , Apache and HA Proxy .

Nginx Web Server

We can use ssl_protocolsdirective to disable SSLv3 in nginx web server, it will be in the web server or http configuration block.
In the global configuration file like /etc/nginx/nginx.conf or inside the http block as /etc/nginx/site-enabled directory , we can add this directive. Use like below steps for nginx web server.

# vim /etc/nginx/nginx.conf

Add ssl_protocols directive like below to disable SSLv3.

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

After that restart the web server service to read changes in configuration file.

# Service nginx restart

Apache web server.

On Ubuntu, we need to change or add directive by editing /etc/apache2/mods-available/ssl.conffile.

# vim /etc/apache2/mods-available/ssl.conf

On CentOS /RedHat , we need to adjust this in SSL configuration file in

/etc/httpd/conf.d/ssl.conf
# vim/etc/httpd/conf.d/ssl.conf

Find the SSLProtocol directive in configuration file , if this is not their , add it and modify to remove SSLv3 like below

SSLProtocol all -SSLv3 -SSLv2

Save and exit from the configuration file and restart the service to read the modification in the configuration file.
On Ubuntu restart the service like below.

service apache2 restart

On CentOS, this would be:

service httpd restart

A Linux Geek with Freelance Contributor, Server/ Cloud Administrator having 6+ Years experience in Open Source and Cloud Technologies.

Review overview
NO COMMENTS

Sorry, the comment form is closed at this time.