How To Protect Server from POODLE SSLv3 Vulnerability
August 10, 2015
Here we are going to discuss about SSLv3 Poodle vulnerability ( CVE-2014-3566 ) . After Heart bleed bug and BEAST attack , now we have heard about new vulnerability POODLE. The POODLE vulnerability is a puniness in SSL version 3 that will allow attacker in a man-in-the-middle context to decipher the plain text content of an SSLv3 encrypted message.
Now we are going to protect piece of software that can be involve with SSLv3. Here we are going to protect some common applications like Nginx , Apache and HA Proxy .
Nginx Web Server
We can use ssl_protocolsdirective to disable SSLv3 in nginx web server, it will be in the web server or http configuration block.
In the global configuration file like /etc/nginx/nginx.conf or inside the http block as /etc/nginx/site-enabled directory , we can add this directive. Use like below steps for nginx web server.
# vim /etc/nginx/nginx.conf
Add ssl_protocols directive like below to disable SSLv3.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
After that restart the web server service to read changes in configuration file.
# Service nginx restart
Apache web server.
On Ubuntu, we need to change or add directive by editing /etc/apache2/mods-available/ssl.conffile.
# vim /etc/apache2/mods-available/ssl.conf
On CentOS /RedHat , we need to adjust this in SSL configuration file in
Find the SSLProtocol directive in configuration file , if this is not their , add it and modify to remove SSLv3 like below
SSLProtocol all -SSLv3 -SSLv2
Save and exit from the configuration file and restart the service to read the modification in the configuration file.
On Ubuntu restart the service like below.
service apache2 restart
On CentOS, this would be:
service httpd restart