This site is brought to you by the Electrical and Computer Engineering department

SSL v3 (for POODLE)

Owned by
Gabriel Hernandez
Last updated: Feb 12, 2021
1 min read

From the ISO:

Steps for Remediation
------------------------------

* This is a vulnerability in the SSLv3 specification, not in any particular SSL implementation. Disabling SSLv3 is the only way to completely mitigate the vulnerability.

* The TLS Fallback SCSV mechanism prevents 'version rollback' attacks without impacting legacy clients; however, it can only protect connections when the client and service support the mechanism. Sites that cannot disable SSLv3 immediately should enable this mechanism.

NOTE: Older network devices may only support SSL, and disabling SSL 3.0 could prevent them from being able to configure their modem, router, or printer.  In such cases, it may be necessary to consider updating devices or pursuing an exception with related controls.

Once remediated, TSCs are asked to make use of SelfScan to verify the system is properly secured (credentialed scans are encouraged for best accuracy):

SelfScan
https://selfscan.security.utexas.edu/howtos/

You can also test servers out with:  https://ssllabs.com/
Clients can be checked via: https://www.poodletest.com

------------------------------

Additional commands:

From a Linux of Mac system

openssl s_client -connect ipaddress/hostname:443 -ssl3
example:  openssl s_client -connect mpc.ece.utexas.edu:443 -ssl3

Alternatively, you can use nmap to scan server for supported version:

nmap --script ssl-enum-ciphers mpc.ece.utexas.edu


From Paul - Editing httpd conf

etc/httpd/conf.d/ssl.conf edit:

# SSL Protocol support:

# List the enable protocol levels with which clients will be able to

# connect. Disable SSLv2 access by default:

SSLProtocol all -SSLv3 -SSLv2 -TLSv1 -TLSv1.1


# SSL Cipher Suite:

# List the ciphers that the client is permitted to negotiate.

# See the mod_ssl documentation for a complete list.

#SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

SSLCipherSuite ALL:!ADH:!EXPORT:RC4+RSA:+HIGH

Restarted httpd service.



Additional References from the ISO:
------------------------------
https://www.imperialviolet.org/2014/10/14/poodle.html
https://www.openssl.org/~bodo/ssl-poodle.pdf
https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00
http://askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566



Confluence Documentation | Web Privacy Policy | Web Accessibility