POODLE Attack: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
Line 14: | Line 14: | ||
=Disable SSL3 on Apache httpd= | =Disable SSL3 on Apache httpd= | ||
To disable SSLv3 on httpd modify the <tt>SSLProtocol</tt> directive | To disable SSLv3 on httpd modify the <tt>SSLProtocol</tt> directive as follows and add it '''in the virtual host(s) definition''' (I tried modifying the top level ssl.conf definition and it did not take): | ||
<pre> | <pre> | ||
SSLProtocol All -SSLv2 -SSLv3 | <VirtualHost ...> | ||
... | |||
SSLProtocol All -SSLv2 -SSLv3 | |||
... | |||
</VirtualHost> | |||
</pre> | </pre> | ||
This will give you support for TLSv1.0, TLSv1.1 and TLSv1.2, but explicitly removes support for SSLv2 and SSLv3. | This will give you support for TLSv1.0, TLSv1.1 and TLSv1.2, but explicitly removes support for SSLv2 and SSLv3. |
Latest revision as of 00:56, 7 January 2016
Internal
External
- https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack
- https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/
Overview
The POODLE Attack (CVE-2014-3566) is a problem in the CBC encryption scheme as implemented in the SSL 3 protocol. TLS 1.0 is immune to it. In order to successfully exploit POODLE the attacker must be able to inject malicious JavaScript into the victim's browser and also be able to observe and manipulate encrypted network traffic on the wire.
Disable SSL3 on Apache httpd
To disable SSLv3 on httpd modify the SSLProtocol directive as follows and add it in the virtual host(s) definition (I tried modifying the top level ssl.conf definition and it did not take):
<VirtualHost ...> ... SSLProtocol All -SSLv2 -SSLv3 ... </VirtualHost>
This will give you support for TLSv1.0, TLSv1.1 and TLSv1.2, but explicitly removes support for SSLv2 and SSLv3.