You can check if your website is vulnerable with curl:
curl -v3 -X HEAD https://www.example.com
If you are NOT vulnerable, your output should look something like this:
curl: (35) SSL connect error
If you ARE vulnerable, you will see normal connection outputs, potentially including the line:
SSL 3.0 connection using ...
Resolution
The attack described above requires an SSL 3.0 connection to be established, so disabling the SSL 3.0 protocol in the client or in the server (or both) will deflect a potential poodle attack.
Apache HTTPD Server
If you’re running Apache, include the following line in your configuration among the other SSL directives:
SSLProtocol All -SSLv2 -SSLv3
And restart the server, e.g.
sudo service apache2 restart
Nginx server
If you’re running Nginx, just include the following line in your configuration among the other SSL directives:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
additionally for all the sites in Plesk for Linux:
# sed -i 's/ssl_protocols SSLv2 SSLv3 TLSv1;/ssl_protocols TLSv1 TLSv1.1 TLSv1.2;/g' /usr/local/psa/admin/conf/templates/default/nginxWebmailPartial.php # sed -i 's/ssl_protocols SSLv2 SSLv3 TLSv1;/ssl_protocols TLSv1 TLSv1.1 TLSv1.2;/g' /usr/local/psa/admin/conf/templates/default/nginxDomainVirtualHost.php # sed -i 's/ssl_protocols SSLv2 SSLv3 TLSv1;/ssl_protocols TLSv1 TLSv1.1 TLSv1.2;/g' /usr/local/psa/admin/conf/templates/default/nginxVhosts.php
And reconfigure Apache:
# /usr/local/psa/admin/bin/httpdmng --reconfigure-all
Reference: Nginx documentation
Dovecot IMAP/POP3 server
Include the following line in /etc/dovecot/dovecot.conf
ssl_protocols = !SSLv2 !SSLv3
Restart service:
sudo service dovecot restart
Courier IMAP
Edit the following files:
/etc/courier-imap/pop3d-ssl
/etc/courier-imap/imapd-ssl
Add the following string:
TLS_CIPHER_LIST="ALL:!SSLv2:!SSLv3:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH"
Or just modify existing one and add !SSLv3
into cipher list.
Restart services:
sudo service courier-imaps restart
sudo service courier-pop3s restart
Postfix SMTP
For ‘opportunistic SSL’ (encryption policy not enforced and plain is acceptable too), you don’t need to change anything. Even SSLv2 is better than plain, so if you need to secure your server you should be using ‘mandatory SSL’ mode anyway.
For ‘mandatory SSL’ mode being configured already, just add/change the smtpd_tls_mandatory_protocols setting. Add the following string to the /etc/postfix/main.cf
file:
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
and restart Postfix:
sudo service postfix restart
You can verify if SSLv3 is disabled by using the following command:
openssl s_client -connect localhost:465 -ssl3
If you are not vulnerable (SSLv3 disabled), your output should look something like this:
CONNECTED(00000003) 139808606107464:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40 139808606107464:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
If you are vulnerable, you should see normal connection output, including the line:
CONNECTED(00000003)
220 mail.example.com ESMTP Postfix
DONE
Microsoft Internet Information Services
Official Microsoft knowledge base article about disabling particular protocol in IIS: How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services
Microsoft Windows Server stores information about different security-enhanced channel protocols that Windows Server supports. This information is stored in the registry key.
- Click Start, click Run, type
regedt32
or typeregedit
, and then click OK. - In Registry Editor, locate the following registry key:
HKEY_LOCAL_MACHINE->System->CurrentControlSet->ControlSecurityProviders->SCHANNELProtocols->SSL 3.0Server
- On the Edit menu, click Add Value.
- In the
Data Type
list, clickDWORD
. - In the
Value Nam
e box, typeEnabled
, and then click OK.Note: If this value is present, double-click the value to edit its current value. - Type
00000000
in Binary Editor to set the value of the new key equal to “0”. - Click OK. Restart the computer.
As Plesk is using the same SSL engine, sw-cp-server
service should be also configured to protect from SSL vulnerability.
Plesk 11.5 and later
Edit ‘/etc/sw-cp-server/config
‘, add
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Restart:
sudo service sw-cp-server restart
Plesk 11.0
Edit /usr/local/psa/admin/conf/ssl-conf.sh
, add the echo 'ssl.use-sslv3 = "disable"'
after the echo 'ssl.use-sslv2 = "disable"'
directive, so it should looks alike:
echo 'ssl.engine = "enable"'
echo 'ssl.use-sslv2 = "disable"'`
echo 'ssl.use-sslv3 = "disable"'
Restart:
sudo service sw-cp-server restart
View Comments
Spot on with this write-up, I honestly believe that this website needs a lot more attention. I'll probably be back again to read more,
thanks for the advice!