Skip to main content

Turning Off SSLv3 in Apache and IIS8, AKA Putting Down the Poodle That Bites

Poodle is a security vulnerability that has been found in SSLv3. Since SSL is over ten years old, and the only browsers that support it as the strongest version of encryption are IE6 and older, in my humble opinion it is safe to turn it off. 

Let's start with the easy one, Linux, in particular CentOS.
NB you will most likely need to be root or be part of the sudo group to make the following changes



1)     Open the ssl.config file with your favourite text editor.
In Red Hat based distributions like CentOS you should find it in
/etc/httpd/mods-available/ssl.conf

2)     Find the line starting with 
SSLProtocol

3)     Change it to 
SSLProtocol all -SSLv2 -SSLv3
This will allow all ciphers expect SSLv2 and SSLv3

4)     Save ssl.conf and exit your text editor

5)     Restart Apache by running the command
service httpd restart

6)     Use a tool like sslscan to check all SSLv2 and SSLv3 ciphers are rejected or fail. An example of this would be
sslscan my-side-projects.blogspot.co.uk
The list will be long so it might be worth redirecting the output to a file or piping the out into grep to return only the SSL ciphers
see step 14 of Windows for sample output



That's Linux done, now onto Windows and IIS8

To turn SSL support off for Windows you need to edit the registry. Doing this is fraught with danger, you can really mess up your Windows box if you do something wrong in the registry. Also you will need to reboot your server for the changes to take effect, not an iisreset an actual system reboot.
1)     Open regedit.exe

2)     Make a backup of your registry

3)     Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

4)     Backup this level of the registry

5)     Go into SSLv3, create a key/directory named "SSLv3" if it doesn't already exist

6)     Create a key/directory named "Client" if it doesn't already exist inside the SSLv3 key/directory

7)     Inside "Client" key/directory create or edit the dword value "DisabledByDefault" and set it to equal 1

8)     Create a key/directory named "Server" if it doesn't already exist inside the SSLv3 key/directory NB this should be at the same level as the "Client" key/directory

9)     Inside "Server" key/directory create or edit the dword value "Enabled" and set it to equal 0

10) Repeat steps 5 through 9 for SSLv2 it's the same process just replace SSLv3 key/directory with SSLv2 key/directory
you should have entries in your registry like the image below

11) Close regedit.exe

12) Reboot your server, this step is important your server will still accept SSL connection if you just do an iisreset

13) Download sslscan for Windows from https://code.google.com/p/sslscan-win/downloads/detail?name=SSLScan-1.8.2-win-r7.zip&can=2&q=

14) Run sslscan to check all SSLv2 and SSLv3 ciphers are rejected or fail. An example of this would be
sslscan my-side-projects.blogspot.co.uk


Example out from SSLScan is as follows
C:\Users\luke.mccarthy\Desktop\SslScan>SslScan my-side-projects.blogspot.co.uk
                   _
           ___ ___| |___  ___ __ _ _ __
          / __/ __| / __|/ __/ _` | '_ \
          \__ \__ \ \__ \ (_| (_| | | | |
          |___/___/_|___/\___\__,_|_| |_|

                  Version 1.8.2-win
             http://www.titania.co.uk
        Copyright Ian Ventura-Whiting 2009
    Compiled against OpenSSL 0.9.8m 25 Feb 2010

Testing SSL server my-side-projects.blogspot.co.uk on port 443

  Supported Server Cipher(s):
    Rejected  SSLv2  168 bits  DES-CBC3-MD5
    Rejected  SSLv2   56 bits  DES-CBC-MD5
    Rejected  SSLv2  128 bits  IDEA-CBC-MD5
    Rejected  SSLv2   40 bits  EXP-RC2-CBC-MD5
    Rejected  SSLv2  128 bits  RC2-CBC-MD5
    Rejected  SSLv2   40 bits  EXP-RC4-MD5
    Rejected  SSLv2  128 bits  RC4-MD5
    Rejected  SSLv3  256 bits  ADH-AES256-SHA
    Rejected  SSLv3  256 bits  DHE-RSA-AES256-SHA
    Rejected  SSLv3  256 bits  DHE-DSS-AES256-SHA
    Rejected  SSLv3  256 bits  AES256-SHA
    Rejected  SSLv3  128 bits  ADH-AES128-SHA
    Rejected  SSLv3  128 bits  DHE-RSA-AES128-SHA
    Rejected  SSLv3  128 bits  DHE-DSS-AES128-SHA
    Rejected  SSLv3  128 bits  AES128-SHA
    Rejected  SSLv3  168 bits  ADH-DES-CBC3-SHA
    Rejected  SSLv3   56 bits  ADH-DES-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-ADH-DES-CBC-SHA
    Rejected  SSLv3  128 bits  ADH-RC4-MD5
    Rejected  SSLv3   40 bits  EXP-ADH-RC4-MD5
    Rejected  SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
    Rejected  SSLv3   56 bits  EDH-RSA-DES-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-EDH-RSA-DES-CBC-SHA
    Rejected  SSLv3  168 bits  EDH-DSS-DES-CBC3-SHA
    Rejected  SSLv3   56 bits  EDH-DSS-DES-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-EDH-DSS-DES-CBC-SHA
    Rejected  SSLv3  168 bits  DES-CBC3-SHA
    Rejected  SSLv3   56 bits  DES-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-DES-CBC-SHA
    Rejected  SSLv3  128 bits  IDEA-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-RC2-CBC-MD5
    Rejected  SSLv3  128 bits  RC4-SHA
    Rejected  SSLv3  128 bits  RC4-MD5
    Rejected  SSLv3   40 bits  EXP-RC4-MD5
    Rejected  SSLv3    0 bits  NULL-SHA
    Rejected  SSLv3    0 bits  NULL-MD5

That's it you're all done, hope this helped.

Comments

  1. Any suggestions if after doing all this and double checking things the scan still comes back accepting a few, most of them fail but some are still accepting.

    ReplyDelete
    Replies
    1. Check any virtual host files for the line SSLProtocol all -SSLv2

      Delete
  2. Just an FYI to all, not sure what happened with my configuration but I downloaded IISCrypto and by using this to disable the SSLv3 finished up the job. By using IISCrypto I was able to dial down to the ones that were still being accepted and disable them. Rebooted and my problem was taken care of.

    ReplyDelete

Post a Comment

Popular posts from this blog

How to Pretty Print JSON and XML from the Command Line

As developers we often need to take minified JSON and XML and pretty print it so it is human readable. A multitude of websites provide a free service where you can enter minified JSON or XML and it will format it the data so it is human readable. The problem is this can lead to leaking data causing security incidents. The solution is to write a couple of bash scripts to pretty print. A big thanks to Campovski 's answer on stackoverflow for the JSON and Ben Noland 's answer on stackoverflow and Anton I. Sipos ' comment for the XML I took these answers a little further and created a bash script that accepts arguments so you can pretty print A file The result returned form an API A string Data piped in Both scripts have the same usage Format a file with the -f flag JSON ./pretty_json.sh -f <name_of_file> XML ./pretty_xml.sh -f <name_of_file> Format the return value of an API with the -u flag JSON ./pretty_json.sh -u www.api.com XML ./pretty_xml.sh -u

Change the Colour of Emacs Shell Prompt and Font Highlighting

The project I'm currently working on is Linux based, and I just can’t get my head around vi no matter how hard I try. Fortunately I have root privileges, so Emacs to the rescue :) We are using CentOS so installing is as easy as sudo yum install emacs   One of the many reasons I really like Emacs is you can run a shell inside Emacs. Press Alt – x Type shell Press enter NB the Alt key in Emacs is often called the Meta key and the key combination above would be shortened to M – x This allows me to split the Emacs window and have the shell in the bottom half and what I working on in the top half, see the image below. To switch between the shell and what I’m working on I press M – O (that’s Alt and the letter O and not the number zero, Alt zero will unsplit the screen) If like me you’re running Emacs inside Putty the first thing you might notice is the shell prompt is in dark blue on a black background. Not only is this very difficult to read but it c