Sebastian Mogilowskis Blog

Just another blog about administration, linux and other stuff

Disabling SSLv3 for POODLE on Debian

Test and fix SSLv3 on Debian.

Test for SSLv3

First test if your SSL will allow SSLv3.

openssl s_client -connect YOUR_URL_OR_IP:443 -ssl3

if the answer is something like:

routines:SSL3_READ_BYTES:sslv3 alert handshake failure

Everything is fine and SSLv3 is not available. If your Server sends a correct handshake then you have to disable it !

Apache 2

For Apache2 edit “/etc/apache2/mods-available/ssl.conf” and replace

SSLProtocol All -SSLv2

with

SSLProtocol All -SSLv2 -SSLv3

Now restart your Apache Webserver:

service apache2 restart

Nginx

For Nginx Webserver edit “/etc/nginx/nginx.conf” and insert between http {}:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Now restart your Nginx Webserver:

service nginx restart

Postfix

For Postfix Mailserver edit “/etc/postfix/main.cf” and insert this TLS parameter:

smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3

Now restart your Mailserver:

service postfix restart

Dovecot

Edit “/etc/dovecot/conf.d/10-ssl.conf” (maybe a new file!) to disable SSLv3 in Dovecot and insert:

ssl_protocols = !SSLv2 !SSLv3

And of course restart dovecot:

service dovecot restart

6 thoughts on “Disabling SSLv3 for POODLE on Debian

  • Toby says:

    Thank you for this great summary!
    Having configuration hints for disabling SSLv3 on all major services in one place saved me lots of time.

    In addition for postfix you need to either make TLS mandatory

    smtpd_enforce_tls=yes

    or disable SSLv3 entirely

    smtpd_tls_protocols=!SSLv2,!SSLv3

    The first option is generally NOT a good idea since many mailservers do not support encryption.

    And if you also want to disable SSLv3 on the SMTP Client side (i.e. when Postfix sends mails) you need to add the equivalent directives starting with smtp_

    smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
    smtp_tls_protocols=!SSLv2,!SSLv3

    I can also recommend this page: https://disablessl3.com/

    Toby

  • Felix says:

    actually does not work for OpenSSL on Debian Stable, cause this disables TLSv1.0 and TLSv1.1 too. I don’t know what the hack is the problem with the openssl library in Debian but it does not sperately list TLSv1.0 and v1.1. So if you place !SSLv3 in your CipherChain you will only be able to talk to TLSv1.2 capable clients. Trying to connect e.g. With the webkit browser in Android 4.3 will fail, chrome instead works as it seems to bring its own SSL library.

  • Toby says:

    Hmm, I can’t confirm this problem.
    Configuring my Apache on Debian Wheezy using
    SSLProtocol All -SSLv2 -SSLv3
    only disables SSLv3 and I can still connect using TLS 1.0.

  • Maurice says:

    I’am still able to connect to the server using sslv3 with the command “openssl s_client -connect YOUR_URL_OR_IP:443 -ssl3” after I have changed the current setting to “SSLProtocol All -SSLv2 -SSLv3” to my /etc/apache2/mods-available/ssl.conf file on my debian 7.8 box

    And I have restarted the apache service.

    *** snip **

    SSL handshake has read 1472 bytes and written 289 bytes

    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
    Protocol : SSLv3
    Cipher : ECDHE-RSA-AES256-SHA
    … etc

    • sebastian says:

      Hmm you should get:

      Secure Renegotiation IS NOT supported

      You are using mod_ssl ? List your active modules with:

      apache2ctl -M

      And please check if you configure your module not in other config files.

      Perhaps you find another config with:

      grep -r 'SSLProtocol' /etc/apache2

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.