How do I patch/workaround SSLv3 POODLE vulnerability (CVE­-2014­-3566)?

Background info

SSL is designed to secure the transport level on the internet. For 'the web' aka HTTP you'll know this as HTTPS, but it's also used for other application protocols. SSLv2 was the first widely used transport security protocol but was found insecure not long after. Successors SSLv3 and TLSv1 are widely supported now. TLSv1.1 and TLSv1.2 are newer and gaining a lot of support too. Most if not all web browsers released from 2014 have support for it.

The recent discovery by Google engineers points out that SSLv3 should not be used (like SSLv2 is deprecated a long time ago). The clients that won't be able to connect to your site/service are probably very very limited. CloudFlare announced that less than 0.09% of their visitors still rely on SSLv3.

Simple solution: disable SSLv3.

Does Ubuntu provide any update?

No, probably not, YOU have to take action yourself (it's configurable).

Improvements to some SSL implementations may be included soon (see below on SCSV), but that's not what this issue is about mainly.

Disabling SSLv3 completely by default in Ubuntu will probably break some stuff out there, so I assume maintainers won't do that.

Okay, so how do I disable SSLv3?

See below in the application specific sections: Firefox, Chrome, Apache, Nginx and Postfix are covered for now.

Are only servers or also clients affected?

The vulnerability exists if both the server and client accepts SSLv3 (even if both are capable of TLSv1/TLSv1.1/TLS1.2 due to a downgrade attack).

As a server admin you should disable SSLv3 now for the security of your users.

As a user, you should disable SSLv3 in your browser now to secure yourself when visiting websites which still support SSLv3.

Is this OpenSSL/GnuTLS/browser specific?

No. It's a protocol (design) bug, not an implementation bug. This means you can't really patch it (unless you're changing the design of the old SSLv3).

Is there anything else I can do to improve my SSL configuration in general?

As a user, besides disabling SSLv3 in your browser, not really.

For servers, follow's Mozilla's TLS server guide. And test with Qualys' SSL Labs test. It's really not that hard to get an A+ rating on your site. Just update your packages and implement the recommendations from the guide of Mozilla.

But I really really need SSLv3 support... for reason X,Y,Z! Now what?

Well, there's a patch that circumvents the downgrade attack of TLSv1 capable clients, called the TLS Fallback SCSV (early OpenSSL patch) feature. It will improve the security of TLSv1+ too, by the way (downgrade attack is harder/impossible).

Don't go this road unless you really need to and you know what you're doing. My educated guess is that eventually Ubuntu will support this feature too in OpenSSL. But please, please, just retire SSLv3 in your network for now. Put effort in upgrading security standards and just ditch SSLv3.

I heard about SCSV support to eliminate the protocol downgrade attack. Do I need it?

No, unless you consider TLSv1 not to be secure enough and you're paranoid. See also above. Just wait for this feature to come to Ubuntu one day.

Testing vulnerability for privately hosted sites (e.g. intranet/offline).

Your servers are vulnerable simply if they support SSLv3. Several options here:

• With OpenSSL s_client:

  openssl s_client -connect <server>:<port> -ssl3
  

  If the connection succeeds, sslv3 is enabled. If it fails, it is disabled. When it fails you should see something like:

  error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
  

• Using nmap:

  nmap --script ssl-enum-ciphers -p 443 myhostname.tld
  

  It should output 'SSLv3: No supported ciphers found'. Adjust for your hostname/port.

• Using cipherscan. Clone/download the binary and execute it:

  ./cipherscan myhostname.tld
  

  It should not list anything with SSLv3 under the 'protocols' column.

Firefox browser

Open about:config, find security.tls.version.min and set the value to 1. Then restart your browser to drop any open SSL connections.

Firefox from version 34 onwards will disable SSLv3 by default and thus require no action (source). However, at the moment of writing, 33 is just released and 34 is set for November 25.

Google Chrome (Linux)

Edit the /usr/share/applications/google-chrome.desktop file, e.g.

sudo nano /usr/share/applications/google-chrome.desktop

Edit all lines starting with Exec= to include --ssl-version-min=tls1.

E.g. a line like

Exec=/usr/bin/google-chrome-stable %U

becomes

Exec=/usr/bin/google-chrome-stable --ssl-version-min=tls1 %U

Then make sure to fully close the browser (Chrome apps may be keeping your browser active in the background!).

Note: You may need to repeat this every google-chrome package update, overwriting this .desktop launcher file. A Google Chrome or Chromium browser with SSLv3 disabled by default is not yet announced at the time of writing.

Apache HTTPD Server

If you're running Apache, just include the following line in your configuration among the other SSL directives:

SSLProtocol All -SSLv2 -SSLv3

Then check if the new configuration is correct (no typos etc.):

apachectl configtest

And restart the server, e.g.

sudo service apache2 restart

More info: Apache documentation

Now test it: If your site is publicly available, test it using Qualys’ SSL Labs tool.

Nginx server

If you're running Nginx, just include the following line in your configuration among the other SSL directives:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

And restart the server, e.g.

sudo service nginx restart

Reference: Nginx documentation

Now test it: If your site is publicly, available, test it using Qualys' SSL Labs tool.

Postfix SMTP

For 'opportunistic SSL' (encryption policy not enforced and plain is acceptable too), you don't need to change anything. Even SSLv2 is better than plain, so if you need to secure your server you should be using 'mandatory SSL' mode anyway.

For 'mandatory SSL' mode being configured already, just add/change the smtpd_tls_mandatory_protocols setting:

smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3

and restart Postfix:

sudo postfix restart

HAProxy Server

SSL is supported in HAProxy >= 1.5.

Edit the /etc/haproxy.cfg file and find your bind line. Append no-sslv3. For example:

bind :443 ssl crt <crt> ciphers <ciphers> no-sslv3

Reference: HAProxy Documentation

OpenVPN

As far as I can see, no specific TLS protocol level can be disabled in the configuration, but what you can do is configure it indirectly with the tls-cipher option.

In your .ovpn profile you can experiment with ciphers supported by your client using

openvpn --show-tls 

For example, you can take the very strong TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 and set that in your profile like this:

tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

Adding more is possible, the list is colon separated, e.g. broaden the cipher list:

tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA

Just be sure any of the ciphersuites is unsupported in SSLv3.

On a server, be sure to include many secure ciphers so you can have a good compatibility with clients.

Recommended configuration is TBD.

You can ensure SSL 3.0 is disabled on your site at http://poodlebleed.com/

Might not be ubuntu specific but in order to work around the Poodle vulnerablity in Node.js you can set the secureOptions to require('constants').SSL_OP_NO_SSLv3 when you create a https or tls server.

See https://gist.github.com/3rd-Eden/715522f6950044da45d8 for addition information