Poodlebleed Bug SSLv3

How to fix (ok, more of a reminder for me)

Windows Server

It’s a pain in the arse in general- i.e. registry edits and also hotfix’s that you need for patching weak ciphers and the addition for TLS 1.+.

Windows 2003 – A pain in the arse with IIS 6.

  • TLS 1.0 is native, but with weak ciphers.
  • hotfix’s needed for TLS 1.1 and 1.2
  • Lots of registry edits
    • disable weak ciphers

This was a pain (I know I know I’m repeating).

Windows 2008 R2 IIS 7

Windows 2012

Too bad Nartac Software was not available in 2005 when it would have saved me a lot frustration.

Ubuntu

openssl s_client -connect <server>:<port> -ssl3

This is a little fancier (taken from – sorry, I forgot where/who ti give credit)

if echo Q | openssl s_client -connect <server>:<port> -ssl3 2> /dev/null | grep -v "Cipher.*0000"; then echo "SSLv3 possible enabled"; else echo "SSLv3 disabled"; fi

What should you see?

  • Refusal for connection.
CONNECTED(00000003)
140682748860232:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40
140682748860232:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
 Protocol : SSLv3
 Cipher : 0000
 Session-ID:
 Session-ID-ctx:
 Master-Key:
 Key-Arg : None
 Krb5 Principal: None
 PSK identity: None
 PSK identity hint: None
 Start Time: 1414212571
 Timeout : 7200 (sec)
 Verify return code: 0 (ok)
---

An accepted connection:

CONNECTED(00000003)
......
-----BEGIN CERTIFICATE-----
.......
-----END CERTIFICATE-----
........
No client certificate CA names sent
---
SSL handshake has read 3247 bytes and written 354 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
........
---

 

Disable SSLv3

in NGIX

Ubuntu
sudo <EDITOR> /etc/nginx/nginx.conf

E.g.
sudo nano /etc/nginx/nginx.conf
or
sudo vi /etc/nginx/nginx.conf

Look for the ssl_protocols

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Then restart service

sudo service nginx restart

Disable SSLv3 Apache

sudo <EDITOR> /etc/apache2/mods-available/ssl.conf

Add in the SSLProtocol for SSLv3 (you should also have had the SSLv2)

SSLProtocol all -SSLv3 -SSLv2

Restart Apache

 sudo /etc/init.d/apache2 restart

If you’re not sure where the configuration

ps w| grep http

 

Pages: 1 2

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.