This thread details information gathered from various websites regarding POODLE Security Vulnerability reported with sslv3.
From Redhat:
POODLE stands for Padding Oracle On Downgraded Legacy Encryption.
POODLE affects older standards of encryption, specifically Secure Socket Layer (SSL) version 3. It does not affect the newer encryption mechanism known as Transport Layer Security (TLS).
To Check if you have sslv3 enabled:
As root:
Open your editor [I am using vi]
vi ssl3check.sh
Input the following comment:
#!/bin/bash
ret=$(echo Q | timeout 5 openssl s_client -connect "${1-`hostname`}:${2-443}" -ssl3 2> /dev/null)
if echo "${ret}" | grep -q 'Protocol.*SSLv3'; then
if echo "${ret}" | grep -q 'Cipher.*0000'; then
echo "SSLv3 disabled"
else
echo "SSLv3 enabled"
fi
else
echo "SSL disabled or other error"
fi
Write and Quit.
:wq
Execute the script:
sh ssl3check.sh
If it says enabled, then do the following:
Disabling SSL 3.0 in mod_ssl
To mitigate this vulnerability as it affects httpd using mod_ssl, set the SSLProtocol directive as follows in /etc/httpd/conf.d/ssl.conf:
Note: This directive must either be located at the topmost level of the configuration file, or inside the default virtual host configuration for an address.
Option 1: Disable SSLv2 and SSLv3 (Enable everything except SSLv2 and SSLv3)
SSLProtocol All -SSLv2 -SSLv3
Option 2: Disable everything except TLSv1.x
On Red Hat Enterprise Linux 7 or Red Hat Enterprise Linux 6.6 and later:
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
On other platforms:
SSLProtocol -All +TLSv1
Then restart httpd:
# service httpd restart
Disabling SSL 3.0 in mod_nss
To mitigate this vulnerability as it affects httpd using mod_nss, set the NSSProtocol directive as follows in /etc/httpd/conf.d/nss.conf:
Red Hat Enterprise Linux 6 and later:
NSSProtocol TLSv1.0,TLSv1.1
Red Hat Enterprise Linux 5:
NSSProtocol TLSv1.0
Then restart httpd:
# service httpd restart
Re-run the script:
sh ssl3check.sh
Should say disabled.