Poodlebleed Bug SSLv3
How to fix (ok, more of a reminder for me)
Windows Server
It’s a pain in the arse in general- i.e. registry edits and also hotfix’s that you need for patching weak ciphers and the addition for TLS 1.+.
Windows 2003 – A pain in the arse with IIS 6.
- TLS 1.0 is native, but with weak ciphers.
- hotfix’s needed for TLS 1.1 and 1.2
- Lots of registry edits
- disable weak ciphers
This was a pain (I know I know I’m repeating).
Windows 2008 R2 IIS 7
- Use IISCrypto
Windows 2012
- Use IISCrypto
Too bad Nartac Software was not available in 2005 when it would have saved me a lot frustration.
Ubuntu
openssl s_client -connect <server>:<port> -ssl3This is a little fancier (taken from – sorry, I forgot where/who ti give credit)
if echo Q | openssl s_client -connect <server>:<port> -ssl3 2> /dev/null | grep -v "Cipher.*0000"; then echo "SSLv3 possible enabled"; else echo "SSLv3 disabled"; fi
What should you see?
- Refusal for connection.
CONNECTED(00000003) 140682748860232:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40 140682748860232:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1414212571 Timeout : 7200 (sec) Verify return code: 0 (ok) ---
An accepted connection:
CONNECTED(00000003) ...... -----BEGIN CERTIFICATE----- ....... -----END CERTIFICATE----- ........ No client certificate CA names sent --- SSL handshake has read 3247 bytes and written 354 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported ........ ---
Disable SSLv3
in NGIX
Ubuntu
sudo <EDITOR> /etc/nginx/nginx.conf
E.g.
sudo nano /etc/nginx/nginx.conf
or
sudo vi /etc/nginx/nginx.confLook for the ssl_protocols
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Then restart service
sudo service nginx restartDisable SSLv3 Apache
sudo <EDITOR> /etc/apache2/mods-available/ssl.confAdd in the SSLProtocol for SSLv3 (you should also have had the SSLv2)
SSLProtocol all -SSLv3 -SSLv2Restart Apache
sudo /etc/init.d/apache2 restart
If you’re not sure where the configuration
ps w| grep http
