SSL is now dead. Long live TLS…
The nailed on the coffin for SSL version 3.0 was when a vulnerability was announced from Google researchers – CVE-2014-3566 . The reality is that SSL version 3.0 has been dead for sometime and should have been depreciated like it’s younger brother SSL version 2.0.
The recommended course of action is to disable the protocol (it is a protocol failure, there is no patch) on the server side to prevent attacks to the client.
The working solution is update the server and client side to not negotiate a lower protocol (TLS_FALLBACK_SCSV), but that world is utopian dream that everyone will switch – IE6 and Windows XP is still pretty much King.
Next page is for testing if you’re interested.
How to fix (ok, more of a reminder for me)
Windows Server
It’s a pain in the arse in general- i.e. registry edits and also hotfix’s that you need for patching weak ciphers and the addition for TLS 1.+.
Windows 2003 – A pain in the arse with IIS 6.
- TLS 1.0 is native, but with weak ciphers.
- hotfix’s needed for TLS 1.1 and 1.2
- Lots of registry edits
- disable weak ciphers
This was a pain (I know I know I’m repeating).
Windows 2008 R2 IIS 7
- Use IISCrypto
Windows 2012
- Use IISCrypto
Too bad Nartac Software was not available in 2005 when it would have saved me a lot frustration.
Ubuntu
openssl s_client -connect <server>:<port> -ssl3This is a little fancier (taken from – sorry, I forgot where/who ti give credit)
if echo Q | openssl s_client -connect <server>:<port> -ssl3 2> /dev/null | grep -v "Cipher.*0000"; then echo "SSLv3 possible enabled"; else echo "SSLv3 disabled"; fi
What should you see?
- Refusal for connection.
CONNECTED(00000003) 140682748860232:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40 140682748860232:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1414212571 Timeout : 7200 (sec) Verify return code: 0 (ok) ---
An accepted connection:
CONNECTED(00000003) ...... -----BEGIN CERTIFICATE----- ....... -----END CERTIFICATE----- ........ No client certificate CA names sent --- SSL handshake has read 3247 bytes and written 354 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported ........ ---
Disable SSLv3
in NGIX
Ubuntu
sudo <EDITOR> /etc/nginx/nginx.conf
E.g.
sudo nano /etc/nginx/nginx.conf
or
sudo vi /etc/nginx/nginx.confLook for the ssl_protocols
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Then restart service
sudo service nginx restartDisable SSLv3 Apache
sudo <EDITOR> /etc/apache2/mods-available/ssl.confAdd in the SSLProtocol for SSLv3 (you should also have had the SSLv2)
SSLProtocol all -SSLv3 -SSLv2Restart Apache
sudo /etc/init.d/apache2 restart
If you’re not sure where the configuration
ps w| grep http