POODLE vulnerability - Help in Disabling the SSLv3 - Apache Web Server forum at WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

POODLE vulnerability - Help in Disabling the SSLv3

I want to know how to disable the SSLv3 if ours using SSL cipher suite

IamRasheed

5:27 am on Nov 3, 2014 (gmt 0)

Hello,

Regarding the POODle vulnerability, i disabled SSLv3 in almost all the apache server we are using in our organization. But in one of the server i see the SSLProtocol entry is not there. instead we have SSLCipherSuite only enabled like below

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

If we add one more line like
SSLProtocol -ALL -SSLv3 +TLSv1 in the configuration, will it disable the SSLv3.
While it disbale the SSlv3 whether the SSLCipherSuite fuctionality will be changed?

or since we are using only the SSLCipherSuite , we need to change the SSLCipherSuite line to disable the SSLv3.

Since i dont know much about the SSLCipherSuite , i am seeking for help.Please kindly help me.

All i want is there should not any change in the congiguration except disabling the SSLv3

Thanks,
Rasheed

not2easy

5:45 am on Nov 3, 2014 (gmt 0)

There is a thread here discussing Poodle solutions and compatibility issues that might help: [webmasterworld.com...]

IamRasheed

6:17 am on Nov 3, 2014 (gmt 0)

Thank you for sharing the information.
like redhat given i disabled the SSlv3 by using the entry SSLProtocol -ALL -SSLv3 +TLSv1 in apache.
previously it was SSLProtocol -ALL +SSLv3 +TLSv1
After that all my webservers are not vulnerable.

In one webserver, we didnt have SSLProtocol -ALL +SSLv3 +TLSv1
we have only SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

hence could you please tell us adding this entry SSLProtocol -ALL +SSLv3 +TLSv1 itself is enough or i need to change anything in the SSLCipherSuite line.