{"id":4345,"date":"2014-10-18T23:43:07","date_gmt":"2014-10-18T15:43:07","guid":{"rendered":"https:\/\/www.icocean.com\/blog\/?p=4345"},"modified":"2014-10-18T23:44:14","modified_gmt":"2014-10-18T15:44:14","slug":"disabling-sslv3-for-poodle","status":"publish","type":"post","link":"https:\/\/www.icocean.com\/blog\/?p=4345","title":{"rendered":"Disable SSLv3 for POODLE(Apache,Nginx,Postfix,Dovecot)"},"content":{"rendered":"

Padding Oracle On Downgraded Legacy Encryption (POODLE) was released with the CVE identifier of CVE-2014-3566<\/a>. The vulnerability was found in SSL protocol 3.0, unlike Heartbleed<\/a> which was found in OpenSSL.<\/p>\n

SSL protocol 3.0 makes use of CBC-mode ciphers that allow for man-in-the-middle attacks using padding-oracle stacks. These attacks target the CBC ciphers to retrieve plain-text output from otherwise encrypted information.<\/strong><\/p>\n

There is some good news. Most connections are using TLS and not SSL. However, sometimes there are problems negotiating a TLS session, and then the web servers, browsers, and other applications must downgrade to SSL.<\/p>\n

In order to resolve this issue, we must disable SSLv3 for applications. <\/p>\n

Unfortunately, there is no way to do this for an entire server at once. You will need to edit each individual configuration separately.<\/p>\n

The Impact of Disabling SSLv3<\/h1>\n

There\u2019s little impact for most people in disabling SSLv3 because they are not relying on SSLv3 to make connections via SSL\/TLS. The large majority relies on TLS.<\/p>\n

In the future, browsers such as Google Chrome and FireFox will have SSLv3 disabled at release. It is also advisable to disable SSLv3 on home browsers, not only server applications.<\/p>\n

Testing for SSLv3<\/h1>\n

There are several ways to determine if a service running over SSL will allow SSLv3. An easy method is to use the OpenSSL command line client. Run the command:<\/p>\n

\n\n\n\n
\n
1<\/pre>\n<\/td>\n
\n
openssl s_client -connect example.com:443 -ssl3\r\n<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
Remember to replace example.com<\/code> with your domain or IP address, and 443<\/code> with any alternate port you may be using for your SSL connection. Check the output for the text:<\/p>\n
\n\n\n\n
\n
1<\/pre>\n<\/td>\n
\n
routines:SSL3_READ_BYTES:sslv3 alert handshake failure\r\n<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
If you see this, the service you have tested does not support SSLv3. It is safe from the vulnerability.<\/p>\n
Disabling SSLv3<\/h1>\n
Unfortunately, there is no simple way to go about this. There\u2019s no patch to install, and the only way to resolve this is to disable SSLv3 in any application that may use it.<\/p>\n
While we do not know the configuration of your Linode, we would be happy to assist you via support ticket if you have any questions about disabling SSLv3 on a specific application that is not provided below.<\/p>\n
The POODLE vulnerability only works if the browser of the client and the server\u2019s connection are both supporting SSLv3. Therefore, by disabling SSLv3 on your system, you are also protecting your client(s) from the vulnerability.<\/p>\n
Apache<\/h2>\n
If you\u2019re running an Apache web server that currently allows SSLv3, you will need to edit the Apache configuration. On Debian and Ubuntu systems the file is \/etc\/apache2\/mods-available\/ssl.conf<\/code>. On CentOS and Fedora the file is \/etc\/httpd\/conf.d\/ssl.conf<\/code>. You will need to add the following line to your Apache configuration with other SSL directives.<\/p>\n
\n\n\n\n
\n
1<\/pre>\n<\/td>\n
\n
SSLProtocol All -SSLv2 -SSLv3\r\n<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
This will allow all protocols except SSLv2 and SSLv3. You can test your configuration change with the command:<\/p>\n
\n\n\n\n
\n
1<\/pre>\n<\/td>\n
\n
apachectl configtest\r\n<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
You will then need to restart your Apache instance. On Ubuntu and Debian:<\/p>\n
\n\n\n\n
\n
1<\/pre>\n<\/td>\n
\n
sudo service apache2 restart\r\n<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
On CentOS and Fedora:<\/p>\n
\n\n\n\n
\n
1<\/pre>\n<\/td>\n
\n
systemctl restart httpd\r\n<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
For more information about configuring Apache to disallow SSLv2 and SSLv3, please see their Mod_SSL Documentation<\/a><\/p>\n
NGINX<\/h2>\n
If you\u2019re running an NGINX web server that currently uses SSLv3, you need to edit the NGINX configuration (nginx.conf<\/code>). You will need to add the following line to your server<\/code> directive:<\/p>\n
\n\n\n\n
\n
1<\/pre>\n<\/td>\n
\n
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;\r\n<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
This will deactivate SSLv3 from being used on NGINX. If you\u2019re unable to find the server directive in nginx.conf<\/code>, you may need to locate your VirtualHost configuration file.<\/p>\n
You will also need to restart your NGINX server:<\/p>\n
\n\n\n\n
\n
1<\/pre>\n<\/td>\n
\n
sudo service nginx restart\r\n<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
For more information about NGINX\u2019s SSL protocol setting, please see their NGX HTTP SSL Module Documentation<\/a>.<\/p>\n
Hiawatha<\/h2>\n
If you\u2019re using the security-focused Hiawatha web server<\/a>, it\u2019s likely that SSLv3 is already disabled by default. But if for some reason you\u2019re running an older version that does allow SSLv3, you can use the MinSSLversion<\/code> setting in hiawatha.conf<\/code>:<\/p>\n
\n\n\n\n
\n
1\r\n2<\/pre>\n<\/td>\n
\n
MinSSLversion = TLS1.0\r\n# or TLS1.1 or TLS1.2\r\n<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
Then restart Hiawatha. For example, in Debian or Ubuntu:<\/p>\n
\n\n\n\n
\n
1<\/pre>\n<\/td>\n
\n
sudo service hiawatha restart\r\n<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
For more information on Hiawatha\u2019s configuration settings, see the manual page<\/a>.<\/p>\n
Postfix SMTP<\/h2>\n
If your Postfix installation is set up for opportunistic SSL<\/code>, which means that encryption is not enforced and plain text is accepted, you do not need to change anything. However, if you are running Postfix in mandatory SSL<\/code> mode, you will need to adjust your configuration to reflect the following change:<\/p>\n
\n\n\n\n
\n
1<\/pre>\n<\/td>\n
\n
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3\r\n<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
You\u2019ll want to look in the # TLS parameters<\/code> section of \/etc\/postfix\/main.cf<\/code>. This will force Postfix SMTP to not use SSLv3 or SSLv2. You will also need to restart Postfix:<\/p>\n
\n\n\n\n
\n
1<\/pre>\n<\/td>\n
\n
sudo service postfix restart\r\n<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
For more information about Postfix\u2019s smtpd_tls_mandatory_protocols<\/code> setting, please see their Postfix Configuration Parameters<\/a> documentation.<\/p>\n
The Postfix documentation has not yet been adjusted to disallow SSLv3.<\/p><\/blockquote>\n
Dovecot<\/h2>\n
This will only work in Dovecot versions 2.1 and above. Add the following line to \/etc\/dovecot\/local.conf<\/code> or a new file in \/etc\/dovecot\/conf.d\/10-ssl.conf<\/code>:<\/p>\n
\n\n\n\n
\n
1<\/pre>\n<\/td>\n
\n
ssl_protocols = !SSLv2 !SSLv3\r\n<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
Then restart Dovecot:<\/p>\n
\n\n\n\n
\n
1<\/pre>\n<\/td>\n
\n
sudo service dovecot restart\r\n<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
If you are running a version of Dovecot before 2.1, you will need to edit the source code of Dovecot.<\/p>\n
HAProxy<\/h2>\n
In order to disable SSLv3 in HAProxy, you must be using HAProxy 1.5+, as SSL is not supported in earlier versions of HAProxy. Edit the \/etc\/haproxy.cfg<\/code> file and find the line that starts with bind<\/code> and refers to port 443 (SSL). Append that line with no-sslv3<\/code>.<\/p>\n
An example of this line would be:<\/p>\n
\n\n\n\n
\n
1<\/pre>\n<\/td>\n
\n
bind :443 ssl crt <crt> ciphers <ciphers> no-sslv3\r\n<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
You can learn more about HAProxy\u2019s no-sslv3<\/code> cipher in their HAProxy Configuration Manual<\/a>.<\/p>\n
OpenVPN<\/h2>\n
According to a forum posted on OpenVPN<\/a>, OpenVPN has announced that, because they use TLSv1.0, their platform is not vulnerable to POODLE.<\/p>\n
This guide is published under a CC BY-ND 3.0<\/a> license.<\/p>\n
Updated Wednesday, October 15th, 2014 by Dave Russell
\nhttps:\/\/linode.com\/docs\/security\/security-patches\/disabling-sslv3-for-poodle<\/p>\n","protected":false},"excerpt":{"rendered":"
Padding Oracle On Downgraded Legacy Encryption (POODLE) […]<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[2993,4041,4026,4040],"class_list":["post-4345","post","type-post","status-publish","format-standard","hentry","category-4","tag-attack","tag-cbc-cipher","tag-mimt","tag-sslv3","category-4-id","post-seq-1","post-parity-odd","meta-position-corners","fix"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/www.icocean.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/4345","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.icocean.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.icocean.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.icocean.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.icocean.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4345"}],"version-history":[{"count":2,"href":"https:\/\/www.icocean.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/4345\/revisions"}],"predecessor-version":[{"id":4347,"href":"https:\/\/www.icocean.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/4345\/revisions\/4347"}],"wp:attachment":[{"href":"https:\/\/www.icocean.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4345"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.icocean.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4345"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.icocean.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4345"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}