Hi, I'm running a Apache2 server on my Pi, and have recently enabled SSL authentication (https) with a StartSSL certificate.
Everything has gone well, but when I've audited my site with Qualis SSL Labs, it tells me that I am vulnerable to a Poodle attack, and have suggested that I disable SSL3, but I can't find anywhere how to do this.
Any help would be appreciated.
Paul
-
fruitoftheloom
- Posts: 19784
- Joined: Tue Mar 25, 2014 12:40 pm
- Location: Delightful Dorset
Re: SSL 3 - Poodle Vulnerability
IF you are running Raspbian Wheezy have you ran a full update ?rossoreed wrote:Hi, I'm running a Apache2 server on my Pi, and have recently enabled SSL authentication (https) with a StartSSL certificate.
Everything has gone well, but when I've audited my site with Qualis SSL Labs, it tells me that I am vulnerable to a Poodle attack, and have suggested that I disable SSL3, but I can't find anywhere how to do this.
Any help would be appreciated.
Paul
Code: Select all
sudo apt-get update
sudo apt-get dist-upgrade
adieu
My other Computer is an Asus CS10 ChromeBit running Chrome Operating System.
HP Envy 4500 Wireless Printer supported by HPLIP software in Raspbian Buster.
Raspberry Pi Model 2B v1.1
My other Computer is an Asus CS10 ChromeBit running Chrome Operating System.
HP Envy 4500 Wireless Printer supported by HPLIP software in Raspbian Buster.
Raspberry Pi Model 2B v1.1
Re: SSL 3 - Poodle Vulnerability
I've just tried that, and ran the test again and it's still showing the site as exposed. It also shows that SSL 3 is available.
The advise that is given to disable SSLv3 is as follows;
To disable SSLv3 on your Apache server you can configure it using the following.
SSLProtocol All -SSLv2 -SSLv3
This will give you support for TLSv1.0, TLSv1.1 and TLSv1.2, but explicitly removes support for SSLv2 and SSLv3. Check the config and then restart Apache.
apachectl configtest
sudo service apache2 restart
But entering 'SSLProtocol All -SSLv2 -SSLv3' in the command line returns 'SSLProtocol: command not found'
The advise that is given to disable SSLv3 is as follows;
To disable SSLv3 on your Apache server you can configure it using the following.
SSLProtocol All -SSLv2 -SSLv3
This will give you support for TLSv1.0, TLSv1.1 and TLSv1.2, but explicitly removes support for SSLv2 and SSLv3. Check the config and then restart Apache.
apachectl configtest
sudo service apache2 restart
But entering 'SSLProtocol All -SSLv2 -SSLv3' in the command line returns 'SSLProtocol: command not found'
-
DougieLawson
- Posts: 35364
- Joined: Sun Jun 16, 2013 11:19 pm
- Location: Basingstoke, UK
- Contact: Website Twitter
Re: SSL 3 - Poodle Vulnerability
Er, that stuff goes in your /etc/apache2/sites-enabled/*ssl*.conf files.
Note: Having anything remotely humorous in your signature is completely banned on this forum.
Any DMs sent on Twitter will be answered next month.
This is a doctor free zone.
Any DMs sent on Twitter will be answered next month.
This is a doctor free zone.
Re: SSL 3 - Poodle Vulnerability
Dougie, yes you are correct (as usual!)
adding 'SSLProtocol All -SSLv2 -SSLv3' to the /etc/apache2/sites-enabled/*ssl*.conf file has disabled SSLv3 and cleared the vulnerability in the security audit.
Thank you
Paul
adding 'SSLProtocol All -SSLv2 -SSLv3' to the /etc/apache2/sites-enabled/*ssl*.conf file has disabled SSLv3 and cleared the vulnerability in the security audit.
Thank you
Paul