SSLv3 Vulnerability (Poodle)

According to The Register, a serious vulnerability in SSL v3 will be disclosed tomorrow on October 15th. Some people are recommending disabling SSL v3 in various daemons until further notice.

A vulnerability in the design of SSL version 3.0. This vulnerability allows the plaintext of secure connections to be calculated by a network attacker.

SSL 3.0 is nearly 18 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue.

Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today.

Detection (Linux)

The following script can be run against the server in question. The command will return ‘SSL 3.0 enabled’ if vulnerable and ‘SSL 3.0 disabled’ if not.


ret=$(echo Q | timeout 5 openssl s_client -connect “${1-`hostname`}:${2-443}” -ssl3 2> /dev/null)
if echo “${ret}” | grep -q ‘Protocol.*SSLv3’; then
if echo “${ret}” | grep -q ‘Cipher.*0000’; then
echo “SSL 3.0 disabled”
echo “SSL 3.0 enabled”
echo “SSL disabled or other error”

NOTE: This script takes the hostname of the server to check as the first argument and an optional port as the second. By default it will check the local system, port 443.

To avoid this vulnerability, Red Hat recommends disabling SSL and using only TLSv1.1 or TLSv1.2. Backwards compatibility can be achieved using TLSv1.0. Many products Red Hat supports have the ability to use SSLv2 or SSLv3 protocols, however it is strongly recommended against.

To mitigate this vulnerability as it affects httpd, set the SSLProtocol directive as follows in /etc/httpd/conf.d/ssl.conf:

Note: This directive must either be located at the topmost level of the configuration file, or inside the default virtual host configuration for an address.

Option 1: Disable SSLv2 and SSLv3 (Enable everything except SSLv2 and SSLv3)
SSLProtocol All -SSLv2 -SSLv3

Option 2: Disable everything except TLSv1.x

On RHEL 7 or RHEL 6.6 and later:
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2

On other platforms:
SSLProtocol -All +TLSv1

Then restart httpd:

# service httpd restart

For Microsoft
Test your web server for SSLv2
What you are looking for is:
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No

For Nginx – there are other files to edit:


Rebuild after any changes

# /usr/local/psa/admin/bin/httpdmng --reconfigure-all

Other Resources:


Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.