Skip to main content

POODLE Vulnerability - SSL 3.0

User-added image
The POODLE Attack that was announced October 14, 2014 is regarding an exploit of SSL 3.0, the following are recommendations to prevent attacks using this vulnerability

Disable: SSL 3.0 or CBC-mode ciphers with SSL 3.0

Enable: TLS_FALLBACK_SCSV

Current Client Browser Information:

Firefox 32

Chrome 40

Internet Explorer

Opera 25

Safari 7.1

TLS 1.2

TLS 1.2

TLS 1.2

TLS 1.2

TLS 1.2

TLS 1.1

TLS 1.1

TLS 1.1

TLS 1.0

TLS 1.0

TLS 1.0

TLS 1.0

TLS 1.0

SSL 3.0

SSL 3.0

SSL 3.0

SSL 3.0

SSL 3.0

Browser Support for TLS 1.2

Firefox

Chrome

Internet Explorer

Opera

Safari

V24 - Disabled by Default

v30

V8 - Disabled by default

V10 - Disabled by default

V7 OSX

Mobile OS support for TLS 1.2

iOS

Android

Microsoft Mobile

6+

4.4.2+

IE11/Mobile 8.1

Apache OpenSSL Server:

Add/update the following to your Apache Config file:

SSLProtocol All -SSLv2 -SSLv3

  • Disables SSL 2.0 and 3.0

SSLHonorCipherOrder on

  • Enables the Server to select the Cipher Suite, not the client

Next remove any CBC-mode ciphers with SSL 3.0, this is listed in your Apache config file under "SSLCipherSuite"


Nginx server:

Add/update your NGINX config file:

ssl_protocols: TLSv1 TLSv1.1 TLSv1.2;

  • Disables SSL protocols

ssl_prefer_server_ciphers on;

  • Enables the Server to select the Cipher Suite, not the client


Windows Server:

Windows OS Version

SSL 2.0

SSL 3.0

TLS 1.0

TLS 1.1

TLS 1.2

Windows XP & Server 2003

X

X

X

Windows Vista & Server 2008

X

X

X

Windows 7 & Server 2008 R2

X

X

X

X

X

Windows 8 & Server 2012

X

X

X

X

X

Windows Servers need to be configured manually through the Windows Registry even though they are a GUI based operating system.

The steps to disable and enable cipher suites and protocols can be found in Microsoft KB 245030 ( http://support.microsoft.com/kb/245030 )

Java Tomcat

From within the server.xml file listed under SSL connector locate " ciphers= " remove all ciphers related to CBC-mode ciphers with SSL 3.0 Remove the SSL 1.0, 2.0 and 3.0 as well from " sslEnabledProtocol " (Example) sslEnabledProtocols = "TLSv1, TLSv1.1, TLSv1.2"

If you have any questions or concerns please contact the Entrust Certificate Services Support department for further assistance:

Hours of Operation:
Sunday 8:00 PM ET to Friday 8:00 PM ET
North America (toll free): 1-866-267-9297
Outside North America: 1-613-270-2680 (or see the list below)
NOTE: Smart Phone users may use the 1-800 numbers shown in the table below.
Otherwise, it is very important that international callers dial the UITF format exactly as indicated. Do not dial an extra "1" before the "800" or your call will not be accepted as an UITF toll free call.