Here we are going to discuss about SSLv3 Poodle vulnerability ( CVE-2014-3566 ). After the Heart bleed bug and BEAST attack, now we have heard about a new vulnerability POODLE. The POODLE vulnerability is a puniness in SSL version 3 that will allow attackers in a man-in-the-middle context to decipher the plain text content of an SSLv3 encrypted message.

Understanding POODLE SSLv3

POODLE SSLv3 is a security vulnerability that focuses on the SSLv3 protocol, a dated encryptin standard widely used for securing online communications. This flaw enables attackers to exploit the protocol’s design weaknesses, potentially gaining unauthorized access to sensitive information. Given the severity of the threat, it is imperative to take proactive measures to secure your server.
Now we are going to protect a piece of software that can be involved with SSLv3. Here we are going to protect some common applications like Nginx, Apache, and HA Proxy.

Nginx Web Server

We can use ssl_protocolsdirective to disable SSLv3 in the nginx web server, it will be in the web server or http configuration block. In the global configuration file like /etc/nginx/nginx.conf or inside the HTTP block as /etc/nginx/site-enabled directory, we can add this directive. Use like below steps for the NGINX web server.

# vim /etc/nginx/nginx.conf 

Add ssl_protocols directive like below to disable SSLv3.

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 

After that restart the web server service to read changes in the configuration file.

systemctl restart nginx 

Apache web server.

On Ubuntu, we need to change or add directives by editing /etc/apache2/mods-available/SSL.conffile.

# vim /etc/apache2/mods-available/ssl.conf

On CentOS /RedHat or RPM-based Linux Distribution, we need to adjust this in the SSL configuration file in

vim /etc/httpd/conf.d/ssl.conf 

Find the SSLProtocol directive in the configuration file, if this is not there, add it and modify it to remove SSLv3 like below

SSLProtocol all -SSLv3 -SSLv2 

Save and exit from the configuration file and restart the service to read the modification in the configuration file. On Ubuntu restart the service like below.

service apache2 restart 

On CentOS, this would be:

service httpd restart

By Sachin G

I am a professional freelance contributor and founder of tech transit. Love to write and lover of education, culture, and community. I have been using it, setting, supporting, and maintaining it since 2009.Linux rocks! Sachin G Follow me on LinkedIn and x formerly twitter