Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

POODLE: Turning off SSLv3 for various servers and client.

Published: 2014-10-15
Last Updated: 2014-10-15 17:29:16 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

Before you start: While adjusting your SSL configuration, you should also check for various other SSL related configuration options. A good outline can be found at as well as at (for web servers in particular)

Here are some configuration directives to turn off SSLv3 support on servers:

Apache: Add -SSLv3 to the "SSLProtocol" line. It should already contain -SSLv2 unless you list specific protocols. 

nginx: list specific allowed protocols in the "ssl_protocols" line. Make sure SSLv2 and SSLv3 is not listed. For example: ssl_protocols TLSv2 TLSv1.1 TLSv1.2;

Postfix: Disable SSLv3 support in the smtpd_tls_manadatory_protocols configuration line. For example: smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3

Dovecot: similar, disable SSLv2 and SSLv3 in the ssl_protocols line. For example: ssl_protocols = !SSLv2 !SSLv3

HAProxy Server: the bind configuration line should include no-sslv3 (this line also lists allowed ciphers)

puppet: see for instructions

For clients, turning off SSLv3 can be a bit more tricky, or just impossible.

Google Chrome: you need to start Google Chrome with the "--ssl-version-min=tls1" option. 

Internet Explorer: You can turn off SSLv3 support in the advanced internet option dialog.

Firefox: check the "security.tls.version.min" setting in about:config and set it to 1. Oddly enough, in our testing, the default setting of 0 will allow SSLv3 connections, but refuses to connect to our SSLv3 only server.

For Microsoft Windows, you can use group policies. For details see Microsoft's advisory:

To test, continue to use our "POODLE Test" page at or the Qualys SSLLabs page at

To detect the use of SSLv3, you can try the following filters:

tshark/wireshark display filters: ssl.handshake.version==0x0300

​tcpdump filter: (1) accounting for variable TCP header length: 'tcp[((tcp[12]>>4)*4)+9:2]=0x0300'
                       (2) assuming TCP header length is 20: 'tcp[29:2]=0x0300'

We will also have a special webcast at 3pm ET. For details see 

the webcast will probably last 20-30 minutes and summarize the highlights of what we know so far.

Johannes B. Ullrich, Ph.D.

3 comment(s)
Diary Archives