Hi, I'm running a Apache2 server on my Pi, and have recently enabled SSL authentication (https) with a StartSSL certificate.
Everything has gone well, but when I've audited my site with Qualis SSL Labs, it tells me that I am vulnerable to a Poodle attack, and have suggested that I disable SSL3, but I can't find anywhere how to do this.
Any help would be appreciated.
Paul
-
fruitoftheloom
- Posts: 25812
- Joined: Tue Mar 25, 2014 12:40 pm
- Location: Delightful Dorset
Re: SSL 3 - Poodle Vulnerability
IF you are running Raspbian Wheezy have you ran a full update ?rossoreed wrote:Hi, I'm running a Apache2 server on my Pi, and have recently enabled SSL authentication (https) with a StartSSL certificate.
Everything has gone well, but when I've audited my site with Qualis SSL Labs, it tells me that I am vulnerable to a Poodle attack, and have suggested that I disable SSL3, but I can't find anywhere how to do this.
Any help would be appreciated.
Paul
Code: Select all
sudo apt-get update
sudo apt-get dist-upgrade
The information is out there....you just have to let it in.
My other Linux machines are a ChromeBox & Intel CoreDuo Desktop
My other Linux machines are a ChromeBox & Intel CoreDuo Desktop
Re: SSL 3 - Poodle Vulnerability
I've just tried that, and ran the test again and it's still showing the site as exposed. It also shows that SSL 3 is available.
The advise that is given to disable SSLv3 is as follows;
To disable SSLv3 on your Apache server you can configure it using the following.
SSLProtocol All -SSLv2 -SSLv3
This will give you support for TLSv1.0, TLSv1.1 and TLSv1.2, but explicitly removes support for SSLv2 and SSLv3. Check the config and then restart Apache.
apachectl configtest
sudo service apache2 restart
But entering 'SSLProtocol All -SSLv2 -SSLv3' in the command line returns 'SSLProtocol: command not found'
The advise that is given to disable SSLv3 is as follows;
To disable SSLv3 on your Apache server you can configure it using the following.
SSLProtocol All -SSLv2 -SSLv3
This will give you support for TLSv1.0, TLSv1.1 and TLSv1.2, but explicitly removes support for SSLv2 and SSLv3. Check the config and then restart Apache.
apachectl configtest
sudo service apache2 restart
But entering 'SSLProtocol All -SSLv2 -SSLv3' in the command line returns 'SSLProtocol: command not found'
-
DougieLawson
- Posts: 40831
- Joined: Sun Jun 16, 2013 11:19 pm
- Location: A small cave in deepest darkest Basingstoke, UK
- Contact: Website Twitter
Re: SSL 3 - Poodle Vulnerability
Er, that stuff goes in your /etc/apache2/sites-enabled/*ssl*.conf files.
Any language using left-hand whitespace for syntax is ridiculous
Any DMs sent on Twitter will be answered next month.
Fake doctors - are all on my foes list.
Any requirement to use a crystal ball or mind reading will result in me ignoring your question.
Any DMs sent on Twitter will be answered next month.
Fake doctors - are all on my foes list.
Any requirement to use a crystal ball or mind reading will result in me ignoring your question.
Re: SSL 3 - Poodle Vulnerability
Dougie, yes you are correct (as usual!)
adding 'SSLProtocol All -SSLv2 -SSLv3' to the /etc/apache2/sites-enabled/*ssl*.conf file has disabled SSLv3 and cleared the vulnerability in the security audit.
Thank you
Paul
adding 'SSLProtocol All -SSLv2 -SSLv3' to the /etc/apache2/sites-enabled/*ssl*.conf file has disabled SSLv3 and cleared the vulnerability in the security audit.
Thank you
Paul