Here we are going to discuss about SSLv3 Poodle vulnerability ( CVE-2014-3566 ). After the Heart bleed bug and BEAST attack, now we have heard about a new vulnerability POODLE. The POODLE vulnerability is a puniness in SSL version 3 that will allow attackers in a man-in-the-middle context to decipher the plain text content of an SSLv3 encrypted message.
Understanding POODLE SSLv3
POODLE SSLv3 is a security vulnerability that focuses on the SSLv3 protocol, a dated encryptin standard widely used for securing online communications. This flaw enables attackers to exploit the protocol’s design weaknesses, potentially gaining unauthorized access to sensitive information. Given the severity of the threat, it is imperative to take proactive measures to secure your server.
Now we are going to protect a piece of software that can be involved with SSLv3. Here we are going to protect some common applications like Nginx, Apache, and HA Proxy.
Nginx Web Server
We can use ssl_protocolsdirective to disable SSLv3 in the nginx web server, it will be in the web server or http configuration block. In the global configuration file like /etc/nginx/nginx.conf or inside the HTTP block as /etc/nginx/site-enabled directory, we can add this directive. Use like below steps for the NGINX web server.
# vim /etc/nginx/nginx.conf
Add ssl_protocols directive like below to disable SSLv3.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
After that restart the web server service to read changes in the configuration file.
systemctl restart nginx
Apache web server.
On Ubuntu, we need to change or add directives by editing /etc/apache2/mods-available/SSL.conffile.
# vim /etc/apache2/mods-available/ssl.conf
On CentOS /RedHat or RPM-based Linux Distribution, we need to adjust this in the SSL configuration file in
vim /etc/httpd/conf.d/ssl.conf
Find the SSLProtocol directive in the configuration file, if this is not there, add it and modify it to remove SSLv3 like below
SSLProtocol all -SSLv3 -SSLv2
Save and exit from the configuration file and restart the service to read the modification in the configuration file. On Ubuntu restart the service like below.
service apache2 restart
On CentOS, this would be:
service httpd restart