Kicking the POODLE

Gregg · October 15, 2014, 09:23:45 PM

By now I am sure many of you have heard about the POODLE attack on SSLv3. If you are still supporting allowing clients to downgrade to SSLv3 you may want to stop this practice. It's easy and requires one change to your configuration:

SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2

If you are using any SSLv3 only ciphers however, you may have to remove them as well.

On your browser's side, you should also disable SSLv3 in it as well. This way you can be sure it can never downgrade the connection to SSLv3. One of my trusted info security websites has set up a browser test at
https://poodletest.com/

Edit: typos typos

mario · October 16, 2014, 10:12:25 AM

For firefox you can install https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/ to disable SSLv3 support

Gregg · October 16, 2014, 10:50:24 AM

Or simply set in about:config
security.tls.version.min = 1

mario · December 09, 2014, 09:55:48 AM

Poodle is back also for TLS https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8730

Still a valid config is

Code Select


SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS

Gregg · December 09, 2014, 07:29:17 PM

More info:
https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls

Kicking the POODLE

Gregg

mario

Gregg

mario

Gregg