Skip to main content

Posts

Showing posts from October, 2014

Turning Off SSLv3 in Apache and IIS8, AKA Putting Down the Poodle That Bites

Poodle is a security vulnerability that has been found in SSLv3. Since SSL is over ten years old, and the only browsers that support it as the strongest version of encryption are IE6 and older, in my humble opinion it is safe to turn it off.  Let's start with the easy one, Linux, in particular CentOS. NB you will most likely need to be root or be part of the sudo group to make the following changes 1)     Open the ssl.config file with your favourite text editor. In Red Hat based distributions like CentOS you should find it in /etc/httpd/mods-available/ssl.conf 2)     Find the line starting with  SSLProtocol 3)     Change it to  SSLProtocol all -SSLv2 -SSLv3 This will allow all ciphers expect SSLv2 and SSLv3 4)     Save ssl.conf and exit your text editor 5)     Restart Apache by running the command service httpd restart 6)     Use a tool like sslscan to check all SSLv2 and SSLv3 ciphers are rejected or fail. An example of this would be ssl