How to protect. SSL 3.0 Protocol Vulnerability and POODLE Attack
All systems and applications utilizing the Secure Socket Layer (SSL) 3.0 with cipher-block chaining (CBC) mode ciphers may be vulnerable. However, the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack demonstrates this vulnerability using web browsers and web servers, which is one of the most likely exploitation scenarios.
How to protect own server
For Nginx just switch off SSLv3 like this:
was: ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
now: ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Apache
In the configuration file ssl.conf fot module mod_ssl need change string like this
SSLProtocol all -SSLv3 -SSLv2
Postfix
In the files main.cf need to forbid use SSL
smtpd_tls_mandatory_protocols=!SSLv2, !SSLv3
Sendmail
Need to edit .mc file in the section LOCAL_CONFIG chang +SSLv3 to -SSLv3
SSLProtocol -ALL -SSLv2 -SSLv3 +TLSv1
and add !SSLv3
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!SSLv3
then
# make install & make restart
IMAP и POP3 server Dovecot
In the 10-ssl.conf or dovecot.conf
ssl_protocols = !SSLv3 !SSLv2
HAProxy Load Balancer
In the file haproxy.cfg
frontend name bind public_ip:443 ssl crt /path/to/certs no-sslv3
Do not forget restart 🙂
Leave comments