16 Oct 2014

SSL 3.0 disabled to protect against Poodle bites

Have you already heard about the recent vulnerability in SSL called Poodle?

As well as other big companies like Akamai, Google or Twitter we have also disabled SSL 3.0 support in our network.

We recommend to take this vulnerability seriously and to disable SSL 3.0 on your own servers and browsers.

How to check if my server is vulnerable?

Run the following command in your terminal:

openssl s_client -connect your-website.com:443 -ssl3

If you receive an error response like this:

26373:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1099:SSL alert number 40
26373:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:536:

Then everything is fine. But if the above command downloads your SSL certificate then you are Poodle vulnerable.

How to disable SSL 3.0 on my server?

To disable SSL 3.0 on your server add the following to your Apache configuration:

SSLProtocol All -SSLv2 -SSLv3

or the following to your NginX configuration

ssl_protocols TLSv1 TLSv1.1 TLSv1.2

How to disable SSL 3.0 in my browser?

Most of the recent browsers have the option to disable SSL 3.0. For example for Firefox it is located at:

Preferences -> Advanced -> Encryption

Sincerely your CDNsun team.