POODLE Attack
Jump to navigation
Jump to search
Internal
External
- https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack
- https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/
Overview
The POODLE Attack (CVE-2014-3566) is a problem in the CBC encryption scheme as implemented in the SSL 3 protocol. TLS 1.0 is immune to it. In order to successfully exploit POODLE the attacker must be able to inject malicious JavaScript into the victim's browser and also be able to observe and manipulate encrypted network traffic on the wire.
Disable SSL3 on Apache httpd
To disable SSLv3 on httpd modify the SSLProtocol directive as follows and add it in the virtual host(s) definition (I tried modifying the top level ssl.conf definition and it did not take):
<VirtualHost ...> ... SSLProtocol All -SSLv2 -SSLv3 ... </VirtualHost>
This will give you support for TLSv1.0, TLSv1.1 and TLSv1.2, but explicitly removes support for SSLv2 and SSLv3.