The Apache Haus Forum

Advanced search  

News:

Welcome to Apache Haus Distribution Forum

Pages: [1]   Go Down

Author Topic: Kicking the POODLE  (Read 3525 times)

Gregg

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 831
Kicking the POODLE
« on: October 15, 2014, 09:23:45 PM »

By now I am sure many of you have heard about the POODLE attack on SSLv3. If you are still supporting allowing clients to downgrade to SSLv3 you may want to stop this practice. It's easy and requires one change to your configuration:

SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2

If you are using any SSLv3 only ciphers however, you may have to remove them as well.

On your browser's side, you should also disable SSLv3 in it as well. This way you can be sure it can never downgrade the connection to SSLv3. One of my trusted info security websites has set up a browser test at
https://poodletest.com/

Edit: typos typos
« Last Edit: October 16, 2014, 11:00:35 AM by Gregg »
Logged

mario

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 575
Re: Kicking the POODLE
« Reply #1 on: October 16, 2014, 10:12:25 AM »

For firefox you can install https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/ to disable SSLv3 support
Logged

Gregg

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 831
Re: Kicking the POODLE
« Reply #2 on: October 16, 2014, 10:50:24 AM »

Or simply set in about:config
security.tls.version.min = 1
Logged

mario

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 575
Re: Kicking the POODLE
« Reply #3 on: December 09, 2014, 09:55:48 AM »

Poodle is back also for TLS https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8730

Still a valid config is

Code: [Select]
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS
Logged

Gregg

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 831
Logged
Pages: [1]   Go Up
 

Sitemap 1 2 3 4 5 6 7 8 9 10 11 12 13