The POODLE bytes: Taming the Dog

Just yesterday, my supervisor forwarded me an email about the SSLv3 POODLE attack, and asked me if our servers were secured against this issue. I was forced to admit that I had never heard of POODLE, but that I’d do some research and get back to her.

I Googled around a bit and found a plethora of sites that claimed to have the answer, but offered no usable help. I finally found a Qualys SSLLabs blog post by Ivan Ristic. This lead me to Scott Helme’s SLLv3 post, which gave me the answer!.

You can test your server using the Qualys SSL Labs SSL server tool.

The short answer is, add the following line to httpd-ssl.conf in Apache’s conf/extra directory:

SSLProtocol All -SSLv2 -SSLv3

It appealed to my sense of order to put it just before the line:

# SSL Protocol Adjustments:

Yeah, it might have been best to put it after that line in the section that follows that comment, but I just put it before.

After stopping Apache and restarting it, I found that my server(s) were no longer vulnerable to POODLE.

If the Apache config files already have a SSLProtocol line, you may want to replace it with this one.  Otherwise, you’re on your own. (Feel free to use the resources I’ve listed above, but that’s about all the help I’ve got for you).

So, that’s my experience in killing POODLEs.

Now I’ve got a 9-page PDF to read to figure out how to fix some non-POODLE issues. Ugh!

Happy Slacking!
Stu…

 

Leave a Comment