Mitigating Poodle SSLv3 vulnerability

New vulneranility was announced in archaic SSLv3 protocol. You can defend your server by disabling usage of SSLv3 protocol. But take in mind that according to rumors Windows XP with IE6 still use it to, so basically disabling SSLv3 means cutting off old WinXP users from your services

On the bottom of page you can also find tips to disable SSLv3 in Firefox and Chrome

 

Disabling SSLv3

apache

Add/modify line in /etc/httpd/conf.d/ssl.conf so it looks like this:

SSLProtocol all -SSLv2 -SSLv3

restart apache:

service httpd restart

postfix

Add to file /etc/postfix/main.cf:

smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3

restart postfix

service postfix restart

dovecot  before v2.1

to get dovecot version use:

[root@vps dovecot]# dovecot --version
2.0.9

File /etc/dovecot/conf.d/10-ssl.conf
add/modify line

ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLv3

dovecot v 2.1 and newer

File /etc/dovecot/dovecot.conf add/modify line :

ssl_protocols = !SSLv2 !SSLv3

restart dovecot:

service dovecot restart

 

 Firefox

in URL line, type about:config, search for security.tls.version.min and set value to 1

 

Chrome

Unlike in FF you can't set it permanantly somewhere in configuration, so you have to start Chrome everytime with parameter –ssl-version-min=tls1

Leave a Reply

Your email address will not be published. Required fields are marked *

Write numbers u see, eg. 365 *