Blog: How-Tos

POODLE SSLv3 Redux: How to fix it

Jamie Riden 15 Oct 2014

POODLE

SSLv3 has been known to have been at least partially broken since 2002, however advancements in understanding the flaw mean that it is now a workable exploit, named POODLE (Padding Oracle on Downgraded Legacy Encryption).

Because of weaknesses in the SSLv3 protocol, it turns out that an attacker who is able to conduct an active man-in-the-middle attack could infer data that is protected by the SSL encryption of your session. Unfortunately, since most browsers allow downgrade to SSLv3, this means you need to disable SSLv3 support on the client side if possible.

Server owners should probably disable SSLv3 as well – though this may impact users on Windows XP / Internet Explorer 6. You should probably force these people to upgrade, as they’ve got other problems if they’re on IE 6.

Client-side fix – Internet explorer

If you just have one or two machines, you can simply disable SSL v3.0 in the Internet Options -> Advanced Page:

poodle1

On Firefox, the suggested fix is as follows on the about:config page – though mine was not vulnerable initially anyway:

poodle2

Group Policy for Clients:

If you have a lot of machines, you probably want to push the setting via Group Policy.

Go to Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Advanced Page:

poodle3

…and then set it to TLS1.0, TLS1.1 and TLS1.2 only:

poodle4

…then the clients should look like the first figure – but with the options greyed out:

poodle5

When you’re done with the settings, visit the ISC’s test page https://www.poodletest.com/:

poodle6

It’s also a good idea to disable SSLv3 on servers – though this may impact people using XP/IE6 unfortunately.

On Apache you may use the SSLProtocol directive to achieve this:

SSLEngine on
SSLCertificateFile /etc/apache2/server.crt
SSLCertificateKeyFile /etc/apache2/PrivateKey.key
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite “EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 \
EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4”

And on Windows, the following PowerShell seems to do the trick for me – it creates some new registry keys, so that TLS1.1 and TLS1.2 support is present, and disables both SSL2 and SSL3. (I borrowed half the script from someone else’s page, and have now lost the reference to it I’m sorry!):

md “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2”
md “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server”
md “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client”
new-itemproperty -path “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server” -name “Enabled” -value 1 -PropertyType “DWord”
new-itemproperty -path “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server” -name “DisabledByDefault” -value 0 -PropertyType “DWord”
new-itemproperty -path “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client” -name “Enabled” -value 1 -PropertyType “DWord”
new-itemproperty -path “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client” -name “DisabledByDefault” -value 0 -PropertyType “DWord”
md “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1”
md “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server”
md “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client”
new-itemproperty -path “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server” -name “Enabled” -value 1 -PropertyType “DWord”
new-itemproperty -path “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server” -name “DisabledByDefault” -value 0 -PropertyType “DWord”
new-itemproperty -path “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client” -name “Enabled” -value 1 -PropertyType “DWord”
new-itemproperty -path “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client” -name “DisabledByDefault” -value 0 -PropertyType “DWord”
md “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server”
md “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client”
new-itemproperty -path “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server” -name Enabled -value 0 -PropertyType “DWord”
new-itemproperty -path “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client” -name Enabled -value 0 -PropertyType “DWord”
md “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0”
md “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server”
md “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client”
md “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server”
new-itemproperty -path “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server” -name Enabled -value 0 -PropertyType “DWord”
new-itemproperty -path “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client” -name Enabled -value 0 -PropertyType “DWord”

Alternatively, running IIS Crypto and selecting the FIPS profile and restarting also seemed to work for us. If you’re running Windows 2003, it would be sensible to make sure the following hotfix is applied to give the following two new cipher suites:
TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA
TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA.

Hotfix available here: https://support.microsoft.com/kb/948963

In nginx, use the ssl_protcols directive:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

References:

Microsoft Bulletin: https://technet.microsoft.com/library/security/3009008

Adam Langley’s blog: https://www.imperialviolet.org/2014/10/14/poodle.html

Qualys SSL Labs: https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy

OpenSSL Paper: https://www.openssl.org/~bodo/ssl-poodle.pdf

Removing SSLv3 from F5 Big-IP: https://devcentral.f5.com/articles/cve-2014-3566-removing-sslv3-from-big-ip

Amazon Web Services: https://aws.amazon.com/jp/security/security-bulletins/CVE-2014-3566-advisory/