The POODLE Attack that was announced October 14, 2014 is regarding an exploit of SSL 3.0, the following are recommendations to prevent attacks using this vulnerability
Disable: SSL 3.0 or CBC-mode ciphers with SSL 3.0
Enable: TLS_FALLBACK_SCSV
- OpenSSL has released an update as of 10/15/2014 to support the FALLBACK SCSV - https://www.openssl.org/news/secadv_20141015.txt
- Other platforms will need to contact your vendor for support information
Current Client Browser Information:
Firefox 32 |
Chrome 40 |
Internet Explorer |
Opera 25 |
Safari 7.1 |
TLS 1.2 |
TLS 1.2 |
TLS 1.2 |
TLS 1.2 |
TLS 1.2 |
TLS 1.1 |
TLS 1.1 |
TLS 1.1 |
||
TLS 1.0 |
TLS 1.0 |
TLS 1.0 |
TLS 1.0 |
TLS 1.0 |
SSL 3.0 |
SSL 3.0 |
SSL 3.0 |
SSL 3.0 |
SSL 3.0 |
Browser Support for TLS 1.2
Firefox |
Chrome |
Internet Explorer |
Opera |
Safari |
V24 - Disabled by Default |
v30 |
V8 - Disabled by default |
V10 - Disabled by default |
V7 OSX |
Mobile OS support for TLS 1.2
iOS |
Android |
Microsoft Mobile |
6+ |
4.4.2+ |
IE11/Mobile 8.1 |
Apache OpenSSL Server:
Add/update the following to your Apache Config file:
SSLProtocol All -SSLv2 -SSLv3
- Disables SSL 2.0 and 3.0
SSLHonorCipherOrder on
- Enables the Server to select the Cipher Suite, not the client
Next remove any CBC-mode ciphers with SSL 3.0, this is listed in your Apache config file under "SSLCipherSuite"
Nginx server:
Add/update your NGINX config file:
ssl_protocols: TLSv1 TLSv1.1 TLSv1.2;
- Disables SSL protocols
ssl_prefer_server_ciphers on;
- Enables the Server to select the Cipher Suite, not the client
Windows Server:
Windows OS Version
SSL 2.0 |
SSL 3.0 |
TLS 1.0 |
TLS 1.1 |
TLS 1.2 |
|
Windows XP & Server 2003 |
X |
X |
X |
||
Windows Vista & Server 2008 |
X |
X |
X |
||
Windows 7 & Server 2008 R2 |
X |
X |
X |
X |
X |
Windows 8 & Server 2012 |
X |
X |
X |
X |
X |
Windows Servers need to be configured manually through the Windows Registry even though they are a GUI based operating system.
The steps to disable and enable cipher suites and protocols can be found in Microsoft KB 245030 ( http://support.microsoft.com/kb/245030 )
Java Tomcat
From within the server.xml file listed under SSL connector locate "
ciphers=
" remove all ciphers related to CBC-mode ciphers with SSL 3.0
Remove the SSL 1.0, 2.0 and 3.0 as well from "
sslEnabledProtocol
"
(Example)
sslEnabledProtocols = "TLSv1, TLSv1.1, TLSv1.2"
If you have any questions or concerns please contact the Entrust Certificate Services Support department for further assistance:
Hours of Operation:
Sunday 8:00 PM ET to Friday 8:00 PM ET
North America (toll free): 1-866-267-9297
Outside North America: 1-613-270-2680 (or see the list below)
NOTE: Smart Phone users may use the 1-800 numbers shown in the table below.
Otherwise, it is very important that international callers dial the UITF format exactly as indicated. Do not dial an extra "1" before the "800" or your call will not be accepted as an UITF toll free call.