How To Protect Server from POODLE SSLv3 Vulnerability

Here we are going to discuss about SSLv3 Poodle vulnerability ( CVE-2014-3566 ) . After Heart bleed bug and BEAST attack , now we have heard about new vulnerability POODLE. The POODLE vulnerability is a puniness in SSL version 3 that will allow attacker in a man-in-the-middle context to decipher the plain text content of an SSLv3 encrypted message.
Now we are going to protect piece of software that can be involve with SSLv3. Here we are going to protect some common applications like Nginx , Apache and HA Proxy .

Nginx Web Server

We can use ssl_protocolsdirective to disable SSLv3 in nginx web server, it will be in the web server or http configuration block.
In the global configuration file like /etc/nginx/nginx.conf or inside the http block as /etc/nginx/site-enabled directory , we can add this directive. Use like below steps for nginx web server.

# vim /etc/nginx/nginx.conf

Add ssl_protocols directive like below to disable SSLv3.

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

After that restart the web server service to read changes in configuration file.

# Service nginx restart

Apache web server.

On Ubuntu, we need to change or add directive by editing /etc/apache2/mods-available/ssl.conffile.

# vim /etc/apache2/mods-available/ssl.conf

On CentOS /RedHat , we need to adjust this in SSL configuration file in

/etc/httpd/conf.d/ssl.conf
# vim/etc/httpd/conf.d/ssl.conf

Find the SSLProtocol directive in configuration file , if this is not their , add it and modify to remove SSLv3 like below

SSLProtocol all -SSLv3 -SSLv2

Save and exit from the configuration file and restart the service to read the modification in the configuration file.
On Ubuntu restart the service like below.

service apache2 restart

On CentOS, this would be:

service httpd restart

About Sachin G

I am a professional freelance contributor and founder of tech transit. Love to write and lover of education, culture, and community. I have been using it, setting, supporting, and maintaining it since 2009.Linux rocks!