How to fix pow.sslv3 Security Vulnerabilities (CVE-2014-3566)

How to fix pow.sslv3 Security Vulnerabilities (CVE-2014-3566)

Poacy = Padding Oracle On Downgraded Legacy Encryption

First, this is a late name, but the security problem is still terrible. The newest Security Vulnerability (CVE-2014-3566) code is POODLE, which is an abbreviation. Is the title actually meaningful?

This vulnerability is very similar to Browser Exploit Against ssl tls, but there is no reliable solution unless SSLv3 support is completely disabled. In short, attackers can obtain plaintext data in your encrypted stream.

Let's take a look at how to deal with it. Before Mozilla Security Wiki Serverside TLS, we recommend strict protocol and encryption method restrictions, which deserves our attention.

Apache

Disable SSLv3 and SSLv3 in the SSL configuration of Apache:

SSLProtocol all-SSLv2-SSLv3

Nginx

Only TLS protocol is allowed in Nginx:

Ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

MySQL

It is worth noting that, unless you deploy the sha256_password plug-in MySQL 5.6, plugin for MySQL 5.6 will have to complete SSL/TLS connection negotiation before verifying handshakes, therefore, this attack vector is only a problem-a data stream for effective login access. (Sha256_password provides an option for SSL/TLS authentication)

This makes things more interesting. Unlike Apache and Nginx, there is no way to fully enable and disable the SSL/TLS protocol, but you can specify the encryption specifications for SSL communication.

To delete SSLv3 support in MySQL, make sure that SSLv3 encryption is not used in the configuration.

In this bug, you can find the SSLv3 encryption method list:

Openssl ciphers-v 'default' | awk '/SSLv3 Kx = (RSA | DH (512)/{print $1 }'
DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
DHE-RSA-CAMELLIA256-SHA
DHE-DSS-CAMELLIA256-SHA
AES256-SHA
CAMELLIA256-SHA
EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
DES-CBC3-SHA
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
DHE-RSA-SEED-SHA
DHE-DSS-SEED-SHA
DHE-RSA-CAMELLIA128-SHA
DHE-DSS-CAMELLIA128-SHA
AES128-SHA
SEED-SHA
CAMELLIA128-SHA
RC4-SHA
RC4-MD5
EDH-RSA-DES-CBC-SHA
EDH-DSS-DES-CBC-SHA
DES-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA
EXP-EDH-DSS-DES-CBC-SHA
EXP-DES-CBC-SHA
EXP-RC2-CBC-MD5
EXP-RC4-MD5

You can disable SSLv3 by deleting the preceding information in the ssl-cipher configuration. Of course, ensuring that MySQL services do not provide general access is by far the most important step in defending against CVE-2014-3566 vulnerabilities.

Here you can learn