How to fix the SSL 3.0 poodle Vulnerability

Google disclosed a security vulnerability in SSL 3.0 on Tuesday.

For more information, visit: https://www.openssl.org /~ Bodo/ssl-poodle.pdf

 

What isSSL3.0 poodleVulnerabilities?

The SSL protocol was developed by Netscape and V3.0 was released in 1996. SSL 3.0 has been in existence for 15 years. Currently, most browsers support this version. Generally, users' browsers use the new security protocol to connect to the server. To maintain compatibility, when the connection to the browser security protocol fails, they attempt to connect to the old security protocol, this includes SSL 3.0.

The principle of the poodle attack is that hackers deliberately create a security protocol connection failure, trigger the browser's downgrade, use SSL 3.0, and then use special measures, the privacy information of a certain byte length is extracted from the secure connection covered by SSL 3.0.

 

 

How can I prevent the SSL3.0-poodle vulnerability?

We recommend that you manually disable SSLv3 support on the client, or disable SSLv3 support on the server, or disable both of them to effectively prevent the impact of the poodle vulnerability on you.

 

Disable SSLv3 support:

 

Nginx:

Ssl_protocols tlsv1 tlsv1.1 tlsv1.2;

Ssl_prefer_server_ciphers on;

Ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384: ECDHE-RSA-AES128-GCM-SHA256: ECDHE-RSA-AES256

Sha384: ECDHE-RSA-AES128-SHA256: ECDHE-RSA-RC4-SHA: ECDHE-RSA-AES256-SHA: DHE-RSA-AES256-SHA: DHE

RSA-AES128-SHA: RC4-SHA :! Anull :! Enull :! Export :! Des :! 3DES :! MD5 :! DSS :! PKS;

Ssl_session_timeout 5 m;

Ssl_session_cache builtin: 1000 shared: SSL: 10 m;

 

Apache:

Sslprotocol all-SSLv2-SSLv3

Sslhonorcipherorder on

Sslciphersuite ECDHE-RSA-AES256-GCM-SHA384: ECDHE-RSA-AES128-GCM-SHA256: ECDHE-RSA-AES256

Sha384: ECDHE-RSA-AES128-SHA256: ECDHE-RSA-RC4-SHA: ECDHE-RSA-AES256-SHA: DHE-RSA-AES256-SHA: DHE

RSA-AES128-SHA: RC4-SHA :! Anull :! MD5 :! DSS

 

Disable client SSLv3 support:

 

Google has said that the chorme browser has used technical means to shield the browser from automatically downgrading to the SSL3.0 link. Manually disable the methods supported by SSL 3.0.

WindowsUser:

1) Close chrome completely

2) copy a shortcut that usually opens the Chrome browser

3) Right-click the new shortcut to go to the properties page.

4) enter the following command at the end of the field in the space after the target: SSL-version-min = tls1

Mac OS XUser:

1) Close chrome completely

2) Find the terminal that comes with the Local Machine (Terminal)

3) enter the following command:/applications/Google \ chrome. APP/contents/MACOs/Google \ chrome -- SSL-version-min = tls1

LinuxUser:

1) Close chrome completely

2) enter the following command in the terminal: Google-chrome-SSL-version-min = tls1

In Firefox, users can enter about: settings by entering about: config in the address bar, and then adjust security. TLS. version. min to 1.

 

Set Method reference from http: // watone. China/news/SSLv3-Poodle.htm

How to fix the SSL 3.0 poodle Vulnerability