SSLv3 Poodle

Same question here. I'll handle this myself with some direction posted here. Otherwise I suppose I'll open a ticket.
 
Here is the official RedHat CVE for POODLE: https://access.redhat.com/security/cve/CVE-2014-3566

POODLE is pretty much a way to slowly decript a few bytes of a connection if it has been forced to use the SSLv3 protocol, however the big catch is it is a Man in the Middle attack, which means a portion of the network must already be compromised allowing someone to monitor, intercept and modify the packets. For example connecting to an unknown Wireless network where somone is filtering the packets.

The actual threat from POODLE is relatively low especially in our setting as our network is physically secure.

Once the OpenSSL patch has made its way down to the CentOS repo's we will install it, which is a stopgap meausre to help protect things but will not truly "fix" SSLv3. The only way to fix it is for both Client & Server's to stop using SSLv3 however we cannot fully disable SSLv3 at this time on cPanel servers.

You 'can' disable SSLv3 in Apache by visiting the Service Configuration > Apache Configuration -> Global Configuration page.

From here you can copy the current SSL Cipher Suite that they are using, and place i in the custom box. Simply add :-SSLv3 after the -SSLv2 entry in the Cipher suite. This will disable SSLv3 for Port 443. This will NOT disable SSLv3 for other services such as courier/dovecot, cpanel, webmail etc.

There "are" options within cPanel to be able to disable SSLv3 for these services, however doing so also disables TLS1.0 and 1.1 which will break SSL connections on those services for all browsers except those who support TLS1.2 (many more than just the SSLv3 browsers) so as it stands we do not recommend making any changes to any other SSL protocols except for the Cipher in apache.
 
So while it is theoretically possible for a MitM attack, the risk is low, especially if I am not transmitting any sensitive information (financial, PHI, etc). Fair enough. Thanks for the explanation. Very helpful.
 
I already double check, my vps already supports TLS_FALLBCK_SCSV mechanism which helps prevent a SSL connection from being 'downgraded' from newer protocols such as TLS1.2 to the older SSLv3 protocol

So I believe I don't really need to disable sslv3, Chrome also already drop drop support for SSLv3 , and firefox will be soon too
 
I ran into a problem with SSLv3 being disabled on my server. I have some users who have VERY old Mac mail client applications that refuse to accept the SSL certificate while SSLv3 is disabled on the server. I struggled with this for a long time, and eventually switched those users over to the latest version of Thunderbird that would be compatible with there old Mac OS; and then found a clue online that the checkbox for TLS in the client app actually means STARTTLS ... so then that works on port 25/26 without any certificate complaints. Hope this helps someone.

Cheers!
 
Top