Protect your server from the POODLE attack

You can protect your server from the POODLE attack, as described here, by disabling the SSLv3 protocol on your (Ubuntu) Apache webserver. This is easily done by changing a single configuration file. Edit the file /etc/apache2/apache2.conf  and search for the line containing SSLProtocol. Change this line from

SSLProtocol all -SSLv2

to

SSLProtocol all -SSLv2 -SSLv3

This disables SSLv3 connections to your server. Restart your apache webserver

sudo service apache2 restart

and then test if the changes were successfull:

1. Try to open a SSLv2 connection; this should give you an error:

openssl s_client -ssl2 -connect bjdejong.nl:443

CONNECTED(00000003)1255:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52.10.1/src/ssl/s2_pkt.c:427:

2. Try to open a SSLv3 connection; this should give you an error:

openssl s_client -ssl3 -connect bjdejong.nl:443

CONNECTED(00000003)
1256:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52.10.1/src/ssl/s3_pkt.c:1143:SSL alert number 40
1256:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52.10.1/src/ssl/s3_pkt.c:564:

3. Try to open a TLS connection; this should give you no error:

openssl s_client -tls1 -connect bjdejong.nl:443

CONNECTED(00000003)
depth=0 /O=Landing page bjdejong.NL/CN=*.landingpage.nl/emailAddress=bjdejong@bjdejong.nl
verify error:num=18:self signed certificate
verify return:1
depth=0 /O=Landing page bjdejong.NL/CN=*.landingpage.nl/emailAddress=bjdejong@bjdejong.nl
verify return:1
---
Certificate chain
0 s:/O=Landing page
bjdejong.NL/CN=*.landingpage.nl/emailAddress=berendjdejong@gmail.com
i:/O=Landing page bjdejong.NL/CN=*.landingpage.nl/emailAddress=berendjdejong@gmail.com
---
Server certificate
-----BEGIN CERTIFICATE----
MIIDnzCCAoegAwIBAgIJAJl1fA2nG/6eMA0GCSqGSIb3DQEBBQUAMGYxITAfBgNV
......

If everything went ok you are protected against the POODLE attack.

Share

Leave a Reply

Your email address will not be published. Required fields are marked *