POODLE (Padding Oracle On Downgraded Legacy Encryption) is a vulnerability that was found on October 14th, 2014, which allows an attacker to read any encrypted information using the SSLv3 protocol by performing a man-in-the-middle attack. Although many programs use SSLv3 as a fallback, it has come to the point where it should be disabled - as many clients can be forced into using SSLv3. Forcing a client into SSLv3 increases the chance of an attack taking place. This article will show you how to disable SSLv3 in select software applications that are commonly used today.
Head to the configuration file where your server information is stored. For example,
/etc/nginx/sites-enabled/ssl.example.com.conf (replacing the path accordingly to your configuration). Within the file, look for
ssl_protocols. Make sure this line exists, and matches the following:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
This will enforce the use of TLS, thus disabling SSLv3 (and any older or obsolete protocols). Now restart your Nginx server by running one of the following commands.
systemctl restart nginx
service nginx restart
To disable SSLv3, head to your module configuration directory for Apache. On Ubuntu/Debian it may be
/etc/apache2/mod-available. Whereas on CentOS, it may be located in
/etc/httpd/conf.d. Look for the
ssl.conf file. Open
ssl.conf and find the
SSLProtocol directive. Make sure this line exists, and matches the following:
SSLProtocol all -SSLv3 -SSLv2
Once finished, save, then restart your server by running one of the following commands.
For Ubuntu/Debian run:
systemctl restart httpd
service apache2 restart
Head to your
postfix directory. It is typically
/etc/postfix/. Open up the
main.cf file and look for
smtpd_tls_mandatory_protocols. Make sure this line exists, and matches the following:
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, TLSv1, TLSv1.1, TLSv1.2
This will force TLSv1.1 and TLSv1.2 to be enabled and used on your Postfix server. Once done, save and restart.
systemctl restart postfix
service postfix restart
Open the file located at
/etc/dovecot/conf.d/10-ssl.conf. Then, find the line that contains
ssl_protocols and make sure it matches the following:
ssl_protocols = !SSLv2 !SSLv3 TLSv1.1 TLSv1.2
Once done, save and restart Dovecot.
systemctl restart dovecot
service dovecot restart
To verify that SSLv3 is disabled on your web server, run the following command (replace domain and IP accordingly):
openssl s_client -servername example.com -connect 0.0.0.0:443 -ssl3
You will see output similar to the following:
CONNECTED(00000003) 140060449216160:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1260:SSL alert number 40 140060449216160:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1414181774 Timeout : 7200 (sec) Verify return code: 0 (ok)
If you want to confirm that your server is using TLS, run the same command but without
openssl s_client -servername example.com -connect 0.0.0.0:443
You should see similar information displayed. Locate the
Protocol line and confirm that it is using
TLSv1.X (with X being 1 or 2 depending on your configuration). If you see this, then you have successfully disabled SSLv3 on your web server.