0

POODLE Bite: Exploiting The SSL 3.0 CVE-2014-3566

0 Flares Filament.io 0 Flares ×

Google has recently discovered an exploit in the implementation of SSL V3 protocol which potentially compromise secure connections. It is recommended to system administrators to disable SSL 3.0 on their servers and use TLS 1.1 or 1.2.

This vulnerability does not affect your SSL Certificates so there is no need to renew, reissue, or reinstall any SSL Certificates.

How to disable SSL V3.

Apache:
Edit your SSL virtualhost and make sure it contain below parameter.


SSLProtocol all -SSLv2 -SSLv3

Nginx:
Edit your SSL virtualhost and make sure it contain below parameter.


ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

IIS:


Download DisableSSL3.zip, extract it and install DisableSSL3.reg, reboot server.

Finally make sure you have restarted the web server service so the changes can take effect.

Amazon has also released instructions how to cop with this vulnerability.

http://aws.amazon.com/jp/security/security-bulletins/CVE-2014-3566-advisory/

UPDATE:
Once you disabled SSL V3 you can test your site / server from following tool.

http://poodlebleed.com/

Alternatively you have also verify it via command line.


openssl s_client -connect google.com:443 -ssl3

If there is hadshake failure then SSL V3 is disabled on server.

UPDATE: 10/16/2014

The vulnerability has been fixed in OpenSSL 1.0.1j version, so lets wait for the patches from Debian, RedHat and other Linus distributors.

0 Flares Twitter 0 Facebook 0 LinkedIn 0 Google+ 0 Filament.io 0 Flares ×

Leave a Reply

Your email address will not be published. Required fields are marked *