The Apache Haus Forum

Forum Topics => News & General Discussion => Topic started by: Gregg on October 15, 2014, 09:23:45 PM

Title: Kicking the POODLE
Post by: Gregg on October 15, 2014, 09:23:45 PM
By now I am sure many of you have heard about the POODLE attack on SSLv3. If you are still supporting allowing clients to downgrade to SSLv3 you may want to stop this practice. It's easy and requires one change to your configuration:

SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2

If you are using any SSLv3 only ciphers however, you may have to remove them as well.

On your browser's side, you should also disable SSLv3 in it as well. This way you can be sure it can never downgrade the connection to SSLv3. One of my trusted info security websites has set up a browser test at
https://poodletest.com/

Edit: typos typos
Title: Re: Kicking the POODLE
Post by: mario on October 16, 2014, 10:12:25 AM
For firefox you can install https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/ to disable SSLv3 support
Title: Re: Kicking the POODLE
Post by: Gregg on October 16, 2014, 10:50:24 AM
Or simply set in about:config
security.tls.version.min = 1
Title: Re: Kicking the POODLE
Post by: mario on December 09, 2014, 09:55:48 AM
Poodle is back also for TLS https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8730

Still a valid config is

Code: [Select]
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS
Title: Re: Kicking the POODLE
Post by: Gregg on December 09, 2014, 07:29:17 PM
More info:
https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls