POODLE Attack: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
No edit summary
No edit summary
 
Line 14: Line 14:
=Disable SSL3 on Apache httpd=
=Disable SSL3 on Apache httpd=


To disable SSLv3 on httpd modify the <tt>SSLProtocol</tt> directive at the top level in ssl.conf:
To disable SSLv3 on httpd modify the <tt>SSLProtocol</tt> directive as follows and add it '''in the virtual host(s) definition''' (I tried modifying the top level ssl.conf definition and it did not take):


<pre>
<pre>
SSLProtocol All -SSLv2 -SSLv3
<VirtualHost ...>
 
    ...
    SSLProtocol All -SSLv2 -SSLv3
    ...
 
</VirtualHost>
</pre>
</pre>


This will give you support for TLSv1.0, TLSv1.1 and TLSv1.2, but explicitly removes support for SSLv2 and SSLv3.
This will give you support for TLSv1.0, TLSv1.1 and TLSv1.2, but explicitly removes support for SSLv2 and SSLv3.

Latest revision as of 00:56, 7 January 2016

Internal

External

Overview

The POODLE Attack (CVE-2014-3566) is a problem in the CBC encryption scheme as implemented in the SSL 3 protocol. TLS 1.0 is immune to it. In order to successfully exploit POODLE the attacker must be able to inject malicious JavaScript into the victim's browser and also be able to observe and manipulate encrypted network traffic on the wire.

Disable SSL3 on Apache httpd

To disable SSLv3 on httpd modify the SSLProtocol directive as follows and add it in the virtual host(s) definition (I tried modifying the top level ssl.conf definition and it did not take):

<VirtualHost ...>

    ...
    SSLProtocol All -SSLv2 -SSLv3
    ...

</VirtualHost>

This will give you support for TLSv1.0, TLSv1.1 and TLSv1.2, but explicitly removes support for SSLv2 and SSLv3.