rossoreed
Posts: 35
Joined: Mon Dec 30, 2013 9:48 am

SSL 3 - Poodle Vulnerability

Mon Oct 27, 2014 8:40 pm

Hi, I'm running a Apache2 server on my Pi, and have recently enabled SSL authentication (https) with a StartSSL certificate.
Everything has gone well, but when I've audited my site with Qualis SSL Labs, it tells me that I am vulnerable to a Poodle attack, and have suggested that I disable SSL3, but I can't find anywhere how to do this.

Any help would be appreciated.

Paul

fruitoftheloom
Posts: 19784
Joined: Tue Mar 25, 2014 12:40 pm
Location: Delightful Dorset

Re: SSL 3 - Poodle Vulnerability

Mon Oct 27, 2014 9:01 pm

rossoreed wrote:Hi, I'm running a Apache2 server on my Pi, and have recently enabled SSL authentication (https) with a StartSSL certificate.
Everything has gone well, but when I've audited my site with Qualis SSL Labs, it tells me that I am vulnerable to a Poodle attack, and have suggested that I disable SSL3, but I can't find anywhere how to do this.

Any help would be appreciated.

Paul
IF you are running Raspbian Wheezy have you ran a full update ?

Code: Select all

sudo apt-get update
sudo apt-get dist-upgrade
This will take you to 24th Oct '14 and should be undertaken as includes the openssl and bash security updates.
adieu

My other Computer is an Asus CS10 ChromeBit running Chrome Operating System.
HP Envy 4500 Wireless Printer supported by HPLIP software in Raspbian Buster.
Raspberry Pi Model 2B v1.1

rossoreed
Posts: 35
Joined: Mon Dec 30, 2013 9:48 am

Re: SSL 3 - Poodle Vulnerability

Mon Oct 27, 2014 9:45 pm

I've just tried that, and ran the test again and it's still showing the site as exposed. It also shows that SSL 3 is available.

The advise that is given to disable SSLv3 is as follows;

To disable SSLv3 on your Apache server you can configure it using the following.
SSLProtocol All -SSLv2 -SSLv3
This will give you support for TLSv1.0, TLSv1.1 and TLSv1.2, but explicitly removes support for SSLv2 and SSLv3. Check the config and then restart Apache.
apachectl configtest
sudo service apache2 restart


But entering 'SSLProtocol All -SSLv2 -SSLv3' in the command line returns 'SSLProtocol: command not found'

User avatar
DougieLawson
Posts: 35364
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: SSL 3 - Poodle Vulnerability

Mon Oct 27, 2014 9:48 pm

Er, that stuff goes in your /etc/apache2/sites-enabled/*ssl*.conf files.
Note: Having anything remotely humorous in your signature is completely banned on this forum.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

rossoreed
Posts: 35
Joined: Mon Dec 30, 2013 9:48 am

Re: SSL 3 - Poodle Vulnerability

Mon Oct 27, 2014 10:44 pm

Dougie, yes you are correct (as usual!)
adding 'SSLProtocol All -SSLv2 -SSLv3' to the /etc/apache2/sites-enabled/*ssl*.conf file has disabled SSLv3 and cleared the vulnerability in the security audit.

Thank you

Paul

Return to “General discussion”