Poodle is a security vulnerability that has been found in SSLv3. Since SSL is over ten years old, and the only browsers that support it as the strongest version of encryption are IE6 and older, in my humble opinion it is safe to turn it off.
Let's start with the easy one, Linux, in particular CentOS.
NB you will most likely need to be root or be part of the sudo group to make the following changes
That's Linux done, now onto Windows and IIS8
To turn SSL support off for Windows you need to edit the registry. Doing this is fraught with danger, you can really mess up your Windows box if you do something wrong in the registry. Also you will need to reboot your server for the changes to take effect, not an iisreset an actual system reboot.
Example out from SSLScan is as follows
C:\Users\luke.mccarthy\Desktop\SslScan>SslScan my-side-projects.blogspot.co.uk
_
___ ___| |___ ___ __ _ _ __
/ __/ __| / __|/ __/ _` | '_ \
\__ \__ \ \__ \ (_| (_| | | | |
|___/___/_|___/\___\__,_|_| |_|
Version 1.8.2-win
http://www.titania.co.uk
Copyright Ian Ventura-Whiting 2009
Compiled against OpenSSL 0.9.8m 25 Feb 2010
Testing SSL server my-side-projects.blogspot.co.uk on port 443
Supported Server Cipher(s):
Rejected SSLv2 168 bits DES-CBC3-MD5
Rejected SSLv2 56 bits DES-CBC-MD5
Rejected SSLv2 128 bits IDEA-CBC-MD5
Rejected SSLv2 40 bits EXP-RC2-CBC-MD5
Rejected SSLv2 128 bits RC2-CBC-MD5
Rejected SSLv2 40 bits EXP-RC4-MD5
Rejected SSLv2 128 bits RC4-MD5
Rejected SSLv3 256 bits ADH-AES256-SHA
Rejected SSLv3 256 bits DHE-RSA-AES256-SHA
Rejected SSLv3 256 bits DHE-DSS-AES256-SHA
Rejected SSLv3 256 bits AES256-SHA
Rejected SSLv3 128 bits ADH-AES128-SHA
Rejected SSLv3 128 bits DHE-RSA-AES128-SHA
Rejected SSLv3 128 bits DHE-DSS-AES128-SHA
Rejected SSLv3 128 bits AES128-SHA
Rejected SSLv3 168 bits ADH-DES-CBC3-SHA
Rejected SSLv3 56 bits ADH-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-ADH-DES-CBC-SHA
Rejected SSLv3 128 bits ADH-RC4-MD5
Rejected SSLv3 40 bits EXP-ADH-RC4-MD5
Rejected SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Rejected SSLv3 56 bits EDH-RSA-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA
Rejected SSLv3 168 bits EDH-DSS-DES-CBC3-SHA
Rejected SSLv3 56 bits EDH-DSS-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-EDH-DSS-DES-CBC-SHA
Rejected SSLv3 168 bits DES-CBC3-SHA
Rejected SSLv3 56 bits DES-CBC-SHA
Rejected SSLv3 40 bits EXP-DES-CBC-SHA
Rejected SSLv3 128 bits IDEA-CBC-SHA
Rejected SSLv3 40 bits EXP-RC2-CBC-MD5
Rejected SSLv3 128 bits RC4-SHA
Rejected SSLv3 128 bits RC4-MD5
Rejected SSLv3 40 bits EXP-RC4-MD5
Rejected SSLv3 0 bits NULL-SHA
Rejected SSLv3 0 bits NULL-MD5
That's it you're all done, hope this helped.
Let's start with the easy one, Linux, in particular CentOS.
NB you will most likely need to be root or be part of the sudo group to make the following changes
1) Open the ssl.config file with your
favourite text editor.
In Red Hat
based distributions like CentOS you should find it in
/etc/httpd/mods-available/ssl.conf
2) Find the line starting with
SSLProtocol
3) Change it to
SSLProtocol all
-SSLv2 -SSLv3
This will allow
all ciphers expect SSLv2 and SSLv3
4) Save ssl.conf and exit your text editor
5) Restart Apache by running the command
service httpd
restart
6) Use a tool like sslscan to check all SSLv2
and SSLv3 ciphers are rejected or fail. An example of this would be
sslscan
my-side-projects.blogspot.co.uk
The list will be
long so it might be worth redirecting the output to a file or piping the out
into grep to return only the SSL ciphers
see step 14 of
Windows for sample output
That's Linux done, now onto Windows and IIS8
To turn SSL support off for Windows you need to edit the registry. Doing this is fraught with danger, you can really mess up your Windows box if you do something wrong in the registry. Also you will need to reboot your server for the changes to take effect, not an iisreset an actual system reboot.
1) Open regedit.exe
2) Make a backup of your registry
3) Navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\
4) Backup this level of the registry
5) Go into SSLv3, create a key/directory
named "SSLv3" if it doesn't already exist
6) Create a key/directory named
"Client" if it doesn't already exist inside the SSLv3 key/directory
7) Inside "Client" key/directory
create or edit the dword value "DisabledByDefault" and set it to
equal 1
8) Create a key/directory named
"Server" if it doesn't already exist inside the SSLv3 key/directory
NB this should be at the same level as the "Client" key/directory
9) Inside "Server" key/directory
create or edit the dword value "Enabled" and set it to equal 0
10) Repeat steps 5 through 9 for SSLv2 it's
the same process just replace SSLv3 key/directory with SSLv2 key/directory
you should have
entries in your registry like the image below
11) Close regedit.exe
12) Reboot your server, this
step is important your server will still accept SSL connection if you just do
an iisreset
13) Download sslscan for Windows from
https://code.google.com/p/sslscan-win/downloads/detail?name=SSLScan-1.8.2-win-r7.zip&can=2&q=
14) Run sslscan to check all SSLv2 and SSLv3
ciphers are rejected or fail. An example of this would be
sslscan
my-side-projects.blogspot.co.uk
C:\Users\luke.mccarthy\Desktop\SslScan>SslScan my-side-projects.blogspot.co.uk
_
___ ___| |___ ___ __ _ _ __
/ __/ __| / __|/ __/ _` | '_ \
\__ \__ \ \__ \ (_| (_| | | | |
|___/___/_|___/\___\__,_|_| |_|
Version 1.8.2-win
http://www.titania.co.uk
Copyright Ian Ventura-Whiting 2009
Compiled against OpenSSL 0.9.8m 25 Feb 2010
Testing SSL server my-side-projects.blogspot.co.uk on port 443
Supported Server Cipher(s):
Rejected SSLv2 168 bits DES-CBC3-MD5
Rejected SSLv2 56 bits DES-CBC-MD5
Rejected SSLv2 128 bits IDEA-CBC-MD5
Rejected SSLv2 40 bits EXP-RC2-CBC-MD5
Rejected SSLv2 128 bits RC2-CBC-MD5
Rejected SSLv2 40 bits EXP-RC4-MD5
Rejected SSLv2 128 bits RC4-MD5
Rejected SSLv3 256 bits ADH-AES256-SHA
Rejected SSLv3 256 bits DHE-RSA-AES256-SHA
Rejected SSLv3 256 bits DHE-DSS-AES256-SHA
Rejected SSLv3 256 bits AES256-SHA
Rejected SSLv3 128 bits ADH-AES128-SHA
Rejected SSLv3 128 bits DHE-RSA-AES128-SHA
Rejected SSLv3 128 bits DHE-DSS-AES128-SHA
Rejected SSLv3 128 bits AES128-SHA
Rejected SSLv3 168 bits ADH-DES-CBC3-SHA
Rejected SSLv3 56 bits ADH-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-ADH-DES-CBC-SHA
Rejected SSLv3 128 bits ADH-RC4-MD5
Rejected SSLv3 40 bits EXP-ADH-RC4-MD5
Rejected SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Rejected SSLv3 56 bits EDH-RSA-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA
Rejected SSLv3 168 bits EDH-DSS-DES-CBC3-SHA
Rejected SSLv3 56 bits EDH-DSS-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-EDH-DSS-DES-CBC-SHA
Rejected SSLv3 168 bits DES-CBC3-SHA
Rejected SSLv3 56 bits DES-CBC-SHA
Rejected SSLv3 40 bits EXP-DES-CBC-SHA
Rejected SSLv3 128 bits IDEA-CBC-SHA
Rejected SSLv3 40 bits EXP-RC2-CBC-MD5
Rejected SSLv3 128 bits RC4-SHA
Rejected SSLv3 128 bits RC4-MD5
Rejected SSLv3 40 bits EXP-RC4-MD5
Rejected SSLv3 0 bits NULL-SHA
Rejected SSLv3 0 bits NULL-MD5
That's it you're all done, hope this helped.
Any suggestions if after doing all this and double checking things the scan still comes back accepting a few, most of them fail but some are still accepting.
ReplyDeleteCheck any virtual host files for the line SSLProtocol all -SSLv2
DeleteJust an FYI to all, not sure what happened with my configuration but I downloaded IISCrypto and by using this to disable the SSLv3 finished up the job. By using IISCrypto I was able to dial down to the ones that were still being accepted and disable them. Rebooted and my problem was taken care of.
ReplyDeleteAre you using Windows or Linux?
Delete