Wednesday, October 15, 2014

Turning Off SSLv3 in Apache and IIS8, AKA Putting Down the Poodle That Bites

Poodle is a security vulnerability that has been found in SSLv3. Since SSL is over ten years old, and the only browsers that support it as the strongest version of encryption are IE6 and older, in my humble opinion it is safe to turn it off. 

Let's start with the easy one, Linux, in particular CentOS.
NB you will most likely need to be root or be part of the sudo group to make the following changes



1)     Open the ssl.config file with your favourite text editor.
In Red Hat based distributions like CentOS you should find it in
/etc/httpd/mods-available/ssl.conf

2)     Find the line starting with 
SSLProtocol

3)     Change it to 
SSLProtocol all -SSLv2 -SSLv3
This will allow all ciphers expect SSLv2 and SSLv3

4)     Save ssl.conf and exit your text editor

5)     Restart Apache by running the command
service httpd restart

6)     Use a tool like sslscan to check all SSLv2 and SSLv3 ciphers are rejected or fail. An example of this would be
sslscan my-side-projects.blogspot.co.uk
The list will be long so it might be worth redirecting the output to a file or piping the out into grep to return only the SSL ciphers
see step 14 of Windows for sample output



That's Linux done, now onto Windows and IIS8

To turn SSL support off for Windows you need to edit the registry. Doing this is fraught with danger, you can really mess up your Windows box if you do something wrong in the registry. Also you will need to reboot your server for the changes to take effect, not an iisreset an actual system reboot.
1)     Open regedit.exe

2)     Make a backup of your registry

3)     Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

4)     Backup this level of the registry

5)     Go into SSLv3, create a key/directory named "SSLv3" if it doesn't already exist

6)     Create a key/directory named "Client" if it doesn't already exist inside the SSLv3 key/directory

7)     Inside "Client" key/directory create or edit the dword value "DisabledByDefault" and set it to equal 1

8)     Create a key/directory named "Server" if it doesn't already exist inside the SSLv3 key/directory NB this should be at the same level as the "Client" key/directory

9)     Inside "Server" key/directory create or edit the dword value "Enabled" and set it to equal 0

10) Repeat steps 5 through 9 for SSLv2 it's the same process just replace SSLv3 key/directory with SSLv2 key/directory
you should have entries in your registry like the image below

11) Close regedit.exe

12) Reboot your server, this step is important your server will still accept SSL connection if you just do an iisreset

13) Download sslscan for Windows from https://code.google.com/p/sslscan-win/downloads/detail?name=SSLScan-1.8.2-win-r7.zip&can=2&q=

14) Run sslscan to check all SSLv2 and SSLv3 ciphers are rejected or fail. An example of this would be
sslscan my-side-projects.blogspot.co.uk


Example out from SSLScan is as follows
C:\Users\luke.mccarthy\Desktop\SslScan>SslScan my-side-projects.blogspot.co.uk
                   _
           ___ ___| |___  ___ __ _ _ __
          / __/ __| / __|/ __/ _` | '_ \
          \__ \__ \ \__ \ (_| (_| | | | |
          |___/___/_|___/\___\__,_|_| |_|

                  Version 1.8.2-win
             http://www.titania.co.uk
        Copyright Ian Ventura-Whiting 2009
    Compiled against OpenSSL 0.9.8m 25 Feb 2010

Testing SSL server my-side-projects.blogspot.co.uk on port 443

  Supported Server Cipher(s):
    Rejected  SSLv2  168 bits  DES-CBC3-MD5
    Rejected  SSLv2   56 bits  DES-CBC-MD5
    Rejected  SSLv2  128 bits  IDEA-CBC-MD5
    Rejected  SSLv2   40 bits  EXP-RC2-CBC-MD5
    Rejected  SSLv2  128 bits  RC2-CBC-MD5
    Rejected  SSLv2   40 bits  EXP-RC4-MD5
    Rejected  SSLv2  128 bits  RC4-MD5
    Rejected  SSLv3  256 bits  ADH-AES256-SHA
    Rejected  SSLv3  256 bits  DHE-RSA-AES256-SHA
    Rejected  SSLv3  256 bits  DHE-DSS-AES256-SHA
    Rejected  SSLv3  256 bits  AES256-SHA
    Rejected  SSLv3  128 bits  ADH-AES128-SHA
    Rejected  SSLv3  128 bits  DHE-RSA-AES128-SHA
    Rejected  SSLv3  128 bits  DHE-DSS-AES128-SHA
    Rejected  SSLv3  128 bits  AES128-SHA
    Rejected  SSLv3  168 bits  ADH-DES-CBC3-SHA
    Rejected  SSLv3   56 bits  ADH-DES-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-ADH-DES-CBC-SHA
    Rejected  SSLv3  128 bits  ADH-RC4-MD5
    Rejected  SSLv3   40 bits  EXP-ADH-RC4-MD5
    Rejected  SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
    Rejected  SSLv3   56 bits  EDH-RSA-DES-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-EDH-RSA-DES-CBC-SHA
    Rejected  SSLv3  168 bits  EDH-DSS-DES-CBC3-SHA
    Rejected  SSLv3   56 bits  EDH-DSS-DES-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-EDH-DSS-DES-CBC-SHA
    Rejected  SSLv3  168 bits  DES-CBC3-SHA
    Rejected  SSLv3   56 bits  DES-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-DES-CBC-SHA
    Rejected  SSLv3  128 bits  IDEA-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-RC2-CBC-MD5
    Rejected  SSLv3  128 bits  RC4-SHA
    Rejected  SSLv3  128 bits  RC4-MD5
    Rejected  SSLv3   40 bits  EXP-RC4-MD5
    Rejected  SSLv3    0 bits  NULL-SHA
    Rejected  SSLv3    0 bits  NULL-MD5

That's it you're all done, hope this helped.

4 comments:

  1. Any suggestions if after doing all this and double checking things the scan still comes back accepting a few, most of them fail but some are still accepting.

    ReplyDelete
    Replies
    1. Check any virtual host files for the line SSLProtocol all -SSLv2

      Delete
  2. Just an FYI to all, not sure what happened with my configuration but I downloaded IISCrypto and by using this to disable the SSLv3 finished up the job. By using IISCrypto I was able to dial down to the ones that were still being accepted and disable them. Rebooted and my problem was taken care of.

    ReplyDelete