{"id":643,"date":"2023-09-12T13:59:46","date_gmt":"2023-09-12T20:59:46","guid":{"rendered":"https:\/\/blog.iabsolute.com\/?p=643"},"modified":"2023-09-12T13:59:46","modified_gmt":"2023-09-12T20:59:46","slug":"ssl-v3-goes-to-the-dogs-poodle-kills-off-protocol","status":"publish","type":"post","link":"https:\/\/blog.iabsolute.com\/?p=643","title":{"rendered":"SSL v3 goes to the dogs &#8211; POODLE kills off protocol"},"content":{"rendered":"\n<h4 class=\"wp-block-heading\" id=\"apache\">Apache<\/h4>\n\n\n\n<p>To disable SSLv3 on your Apache server you can configure it using the following.<\/p>\n\n\n\n<p><code>SSLProtocol All -SSLv2 -SSLv3<\/code><\/p>\n\n\n\n<p>This will give you support for TLSv1.0, TLSv1.1 and TLSv1.2, but explicitly removes support for SSLv2 and SSLv3. Check the config and then restart Apache.<\/p>\n\n\n\n<p><code>apachectl configtest<\/code><\/p>\n\n\n\n<p><code>sudo service apache2 restart<\/code><\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"nginx\">NginX<\/h4>\n\n\n\n<p>Disabling SSLv3 support on NginX is also really easy.<\/p>\n\n\n\n<p><code>ssl_protocols TLSv1 TLSv1.1 TLSv1.2;<\/code><\/p>\n\n\n\n<p>Similar to the Apache config above, you will get TLSv1.0+ support and no SSL. You can check the config and restart.<\/p>\n\n\n\n<p><code>sudo nginx -t<\/code><\/p>\n\n\n\n<p><code>sudo service nginx restart<\/code><\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"iis\">IIS<\/h4>\n\n\n\n<p>This one requires some registry tweaks and a server reboot but still isn&#8217;t all that bad. Microsoft have a&nbsp;<a href=\"https:\/\/support.microsoft.com\/kb\/187498\/en-us?ref=scotthelme.co.uk\">support article<\/a>&nbsp;with the required information, but all you need to do is modify\/create a registry DWORD value.<\/p>\n\n\n\n<p><code>HKey_Local_Machine\\System\\CurrentControlSet\\Control\\SecurityProviders \\SCHANNEL\\Protocols<\/code><\/p>\n\n\n\n<p>Inside protocols you will most likely have an&nbsp;<code>SSL 2.0<\/code>&nbsp;key already, so create&nbsp;<code>SSL 3.0<\/code>&nbsp;alongside it if needed. Under that create a&nbsp;<code>Server<\/code>&nbsp;key and inside there a DWORD value called&nbsp;<code>Enabled<\/code>&nbsp;with value&nbsp;<code>0<\/code>. Once that&#8217;s done reboot the server for the changes to take effect.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/scotthelme.co.uk\/content\/images\/2014\/10\/iis-settings.png\" alt=\"IIS Settings\"\/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"howtocheckyourserver\">How to check your server<\/h3>\n\n\n\n<p>The easiest and probably the most widely used method to test anything to do with your SSL setup is the&nbsp;<a href=\"https:\/\/www.ssllabs.com\/ssltest\/index.html?ref=scotthelme.co.uk\">Qualys SSL Test<\/a>. Simply navigate to the site, enter the domain for the website you want to test and hit submit to start the test.<\/p>\n\n\n\n<p><a href=\"https:\/\/scotthelme.co.uk\/sslv3-goes-to-the-dogs-poodle-kills-off-protocol\/\">SSLv3 goes to the dogs; POODLE kills off protocol (scotthelme.co.uk)<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Apache To disable SSLv3 on your Apache server you can configure it using the following. SSLProtocol All -SSLv2 -SSLv3 This will give you support for TLSv1.0, TLSv1.1 and TLSv1.2, but explicitly removes support for SSLv2 and SSLv3. Check the config &hellip; <a href=\"https:\/\/blog.iabsolute.com\/?p=643\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25,2,7],"tags":[],"class_list":["post-643","post","type-post","status-publish","format-standard","hentry","category-apache","category-my-linux","category-windows"],"_links":{"self":[{"href":"https:\/\/blog.iabsolute.com\/index.php?rest_route=\/wp\/v2\/posts\/643","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.iabsolute.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.iabsolute.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.iabsolute.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.iabsolute.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=643"}],"version-history":[{"count":1,"href":"https:\/\/blog.iabsolute.com\/index.php?rest_route=\/wp\/v2\/posts\/643\/revisions"}],"predecessor-version":[{"id":644,"href":"https:\/\/blog.iabsolute.com\/index.php?rest_route=\/wp\/v2\/posts\/643\/revisions\/644"}],"wp:attachment":[{"href":"https:\/\/blog.iabsolute.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=643"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.iabsolute.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=643"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.iabsolute.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=643"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}