rossoreed
Posts: 35
Joined: Mon Dec 30, 2013 9:48 am

SSL 3 - Poodle Vulnerability

Mon Oct 27, 2014 8:40 pm

Hi, I'm running a Apache2 server on my Pi, and have recently enabled SSL authentication (https) with a StartSSL certificate.
Everything has gone well, but when I've audited my site with Qualis SSL Labs, it tells me that I am vulnerable to a Poodle attack, and have suggested that I disable SSL3, but I can't find anywhere how to do this.

Any help would be appreciated.

Paul

fruitoftheloom
Posts: 26285
Joined: Tue Mar 25, 2014 12:40 pm
Location: Delightful Dorset

Re: SSL 3 - Poodle Vulnerability

Mon Oct 27, 2014 9:01 pm

rossoreed wrote:Hi, I'm running a Apache2 server on my Pi, and have recently enabled SSL authentication (https) with a StartSSL certificate.
Everything has gone well, but when I've audited my site with Qualis SSL Labs, it tells me that I am vulnerable to a Poodle attack, and have suggested that I disable SSL3, but I can't find anywhere how to do this.

Any help would be appreciated.

Paul
IF you are running Raspbian Wheezy have you ran a full update ?

Code: Select all

sudo apt-get update
sudo apt-get dist-upgrade
This will take you to 24th Oct '14 and should be undertaken as includes the openssl and bash security updates.
The information is out there....you just have to let it in.

My other Linux machines: ChromeBox
https://www.aliexpress.com/item/32966393971.html
& Stone Desktop Intel CoreDuo circa 2010

rossoreed
Posts: 35
Joined: Mon Dec 30, 2013 9:48 am

Re: SSL 3 - Poodle Vulnerability

Mon Oct 27, 2014 9:45 pm

I've just tried that, and ran the test again and it's still showing the site as exposed. It also shows that SSL 3 is available.

The advise that is given to disable SSLv3 is as follows;

To disable SSLv3 on your Apache server you can configure it using the following.
SSLProtocol All -SSLv2 -SSLv3
This will give you support for TLSv1.0, TLSv1.1 and TLSv1.2, but explicitly removes support for SSLv2 and SSLv3. Check the config and then restart Apache.
apachectl configtest
sudo service apache2 restart


But entering 'SSLProtocol All -SSLv2 -SSLv3' in the command line returns 'SSLProtocol: command not found'

User avatar
DougieLawson
Posts: 41047
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: SSL 3 - Poodle Vulnerability

Mon Oct 27, 2014 9:48 pm

Er, that stuff goes in your /etc/apache2/sites-enabled/*ssl*.conf files.
Any language using left-hand whitespace for syntax is ridiculous

Any DMs sent on Twitter will be answered next month.
Fake doctors - are all on my foes list.

Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

rossoreed
Posts: 35
Joined: Mon Dec 30, 2013 9:48 am

Re: SSL 3 - Poodle Vulnerability

Mon Oct 27, 2014 10:44 pm

Dougie, yes you are correct (as usual!)
adding 'SSLProtocol All -SSLv2 -SSLv3' to the /etc/apache2/sites-enabled/*ssl*.conf file has disabled SSLv3 and cleared the vulnerability in the security audit.

Thank you

Paul

Return to “General discussion”