Admin-Ahead Community

Linux => Server Security & Hardening => Topic started by: Admin on October 17, 2014, 05:45:38 pm

Title: Disable sslv3 for POODLE Security Vulnerability in Apache / http
Post by: Admin on October 17, 2014, 05:45:38 pm
This thread details information gathered from various websites regarding POODLE Security Vulnerability reported with sslv3.

From Redhat:

POODLE stands for Padding Oracle On Downgraded Legacy Encryption.

POODLE affects older standards of encryption, specifically Secure Socket Layer (SSL) version 3. It does not affect the newer encryption mechanism known as Transport Layer Security (TLS).

To Check if you have sslv3 enabled:

As root:

Open your editor [I am using vi]

vi ssl3check.sh

Input the following comment:

Code: [Select]
#!/bin/bash
ret=$(echo Q | timeout 5 openssl s_client -connect "${1-`hostname`}:${2-443}" -ssl3 2> /dev/null)
if echo "${ret}" | grep -q 'Protocol.*SSLv3'; then
  if echo "${ret}" | grep -q 'Cipher.*0000'; then
    echo "SSLv3 disabled"
  else
    echo "SSLv3 enabled"
 fi
else
  echo "SSL disabled or other error"
fi


Write and Quit.

:wq

Execute the script:

sh ssl3check.sh

If it says enabled, then do the following:

Disabling SSL 3.0 in mod_ssl

To mitigate this vulnerability as it affects httpd using mod_ssl, set the SSLProtocol directive as follows in /etc/httpd/conf.d/ssl.conf:

Note: This directive must either be located at the topmost level of the configuration file, or inside the default virtual host configuration for an address.

Option 1: Disable SSLv2 and SSLv3 (Enable everything except SSLv2 and SSLv3)

SSLProtocol All -SSLv2 -SSLv3

Option 2: Disable everything except TLSv1.x

On Red Hat Enterprise Linux 7 or Red Hat Enterprise Linux 6.6 and later:

SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2

On other platforms:

SSLProtocol -All +TLSv1

Then restart httpd:

# service httpd restart

Disabling SSL 3.0 in mod_nss

To mitigate this vulnerability as it affects httpd using mod_nss, set the NSSProtocol directive as follows in /etc/httpd/conf.d/nss.conf:

Red Hat Enterprise Linux 6 and later:

NSSProtocol TLSv1.0,TLSv1.1

Red Hat Enterprise Linux 5:

NSSProtocol TLSv1.0

Then restart httpd:

# service httpd restart

Re-run the script:

sh ssl3check.sh

Should say disabled.