Last Updated: 2014-10-15 17:29:16 UTC
by Johannes Ullrich (Version: 1)
Before you start: While adjusting your SSL configuration, you should also check for various other SSL related configuration options. A good outline can be found at http://bettercrypto.org as well as at http://ssllabs.com (for web servers in particular)
Here are some configuration directives to turn off SSLv3 support on servers:
Apache: Add -SSLv3 to the "SSLProtocol" line. It should already contain -SSLv2 unless you list specific protocols.
nginx: list specific allowed protocols in the "ssl_protocols" line. Make sure SSLv2 and SSLv3 is not listed. For example: ssl_protocols TLSv2 TLSv1.1 TLSv1.2;
Postfix: Disable SSLv3 support in the smtpd_tls_manadatory_protocols configuration line. For example: smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
Dovecot: similar, disable SSLv2 and SSLv3 in the ssl_protocols line. For example: ssl_protocols = !SSLv2 !SSLv3
HAProxy Server: the bind configuration line should include no-sslv3 (this line also lists allowed ciphers)
puppet: see https://github.com/stephenrjohnson/puppetmodule/commit/1adb73f9a400cb5e91c4ece1c6166fd63004f448 for instructions
For clients, turning off SSLv3 can be a bit more tricky, or just impossible.
Google Chrome: you need to start Google Chrome with the "--ssl-version-min=tls1" option.
Internet Explorer: You can turn off SSLv3 support in the advanced internet option dialog.
Firefox: check the "security.tls.version.min" setting in about:config and set it to 1. Oddly enough, in our testing, the default setting of 0 will allow SSLv3 connections, but refuses to connect to our SSLv3 only server.
For Microsoft Windows, you can use group policies. For details see Microsoft's advisory: https://technet.microsoft.com/en-us/library/security/3009008.aspx
To detect the use of SSLv3, you can try the following filters:
tshark/wireshark display filters: ssl.handshake.version==0x0300
tcpdump filter: (1) accounting for variable TCP header length: 'tcp[((tcp>>4)*4)+9:2]=0x0300'
(2) assuming TCP header length is 20: 'tcp[29:2]=0x0300'
We will also have a special webcast at 3pm ET. For details see
the webcast will probably last 20-30 minutes and summarize the highlights of what we know so far.