[Triumf-linux-managers] SSLv3 and the POODLE vulnerability - server patching
Andrew Daviel
advax at triumf.ca
Wed Mar 18 19:11:40 PDT 2015
Last year a vulnerability in the SSL version 3 protocol was discovered,
dubbed "POODLE".
This is a problem in the protocol itself, so that SSLv3 is now deprecated.
Someone who is able to manipulate a network connection and get a user to
run certain javascript code can then obtain keys and monitor encrypted
traffic.
Since February, CCIRC have been sending me reports of vulnerable
webservers at TRIUMF. More in the interests of keeping up appearances than
fixing a critical problem (like Heartbleed), I would like to disable SSLv3
everywhere.
Per https://zmap.io/sslv3/servers.html
this is usually just a matter of adding -SSLv3 to the existing -SSLv2 line
in httpd/conf.d/ssl.conf, and reloading Apache (killall -HUP httpd)
There should be no downtime and no serious impact on normal users - only
ancient browsers like Netscape 3 and IE 5 are unable to use TLSv1, and if
anyone is still using those, they should upgrade.
To test, you can do e.g.
echo 'OPTIONS / HTTP/1.0%%' |tr '%' '\n'|openssl s_client -ssl3 -connect misweb.triumf.ca:443
(misweb is not yet updated)
If the patch fails to disable SSLv3, there may be alternate SSLProtocol
directives in other places
--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376 (Pacific Time)
Network Security Manager
More information about the Triumf-linux-managers
mailing list