The SSLv3 vulnerability(POODLE) – fix and explanation

POODLE (Padding Oracle On Downgraded Legacy Encryption.) is in the news these days, and the fix for it is the following:

Internet Storm Center link and the important parts:

Apache: Add -SSLv3 to the “SSLProtocol” line. It should already contain -SSLv2 unless you list specific protocols.

nginx: list specific allowed protocols in the “ssl_protocols” line. Make sure SSLv2 and SSLv3 is not listed. For example: ssl_protocols TLSv2 TLSv1.1 TLSv1.2;

Postfix: Disable SSLv3 support in the smtpd_tls_manadatory_protocols configuration line. For example: smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3

Dovecot: similar, disable SSLv2 and SSLv3 in the ssl_protocols line. For example: ssl_protocols = !SSLv2 !SSLv3

HAProxy Server: the bind configuration line should include no-sslv3 (this line also lists allowed ciphers)

puppet: see https://github.com/stephenrjohnson/puppetmodule/commit/1adb73f9a400cb5e91c4ece1c6166fd63004f448 for instructions

 

The client software or browser also has settings to change – i.e. your browser as in Internet explorer, Chrome, and Firefox.

 

 

A good explanation is at Nakedsecurity.sophos.com, I like this image:

poodle-ssl3-4991   The SSLv3 is an old obsolete encryption technology, and we have to be aware of these things.