POODLE Attack

From NovaOrdis Knowledge Base
Revision as of 00:56, 7 January 2016 by Ovidiu (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Internal

External

Overview

The POODLE Attack (CVE-2014-3566) is a problem in the CBC encryption scheme as implemented in the SSL 3 protocol. TLS 1.0 is immune to it. In order to successfully exploit POODLE the attacker must be able to inject malicious JavaScript into the victim's browser and also be able to observe and manipulate encrypted network traffic on the wire.

Disable SSL3 on Apache httpd

To disable SSLv3 on httpd modify the SSLProtocol directive as follows and add it in the virtual host(s) definition (I tried modifying the top level ssl.conf definition and it did not take):

<VirtualHost ...>

    ...
    SSLProtocol All -SSLv2 -SSLv3
    ...

</VirtualHost>

This will give you support for TLSv1.0, TLSv1.1 and TLSv1.2, but explicitly removes support for SSLv2 and SSLv3.