POODLE VULNERABILITY: How to disable SSLv3 on Nginx, Apache, IIS, Zimbra, and Amazon Elastic Load Balancers

A vulnerability in SSLv3 was announced last night:

POODLE: SSLv3 vulnerability (CVE-2014-3566)

Long story short, SSLv3 allows man-in-the-middle attacks. SSLv3 is now considered unsafe, and the recommendation by vendors is to disable SSLv3 from all services.

How to disable SSLv3 on Amazon Elastic Load Balancers (ELB)

Newly created load balancers will no longer support SSLv3 by default. For existing load balancers:

1) Go to the AWS Management Console.
2) Browse to EC2 –> Load Balancers.
3) Select your load balancer.
4) Click on the Listeners tab. Under the “Cipher” column, click “Change” .
5) In the pop-up window, select “Predefined Security Policy”.
6) Select “ELBSecurityPolicy-2014-10”, then click Save.
7) Repeat these steps for every other ELB.


How to disable SSLv3 on Nginx

Edit your Nginx configuration file. For example:

sudo nano /etc/nginx/nginx.conf

And add/replace these SSL config lines, as recommended by CloudFlare:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;


How to disable SSLv3 on Apache

Edit your Apache configuration file. For example:

nano /etc/apache2/httpd.conf

And add these lines:

SSLProtocol All -SSLv2 -SSLv3

Save the file, then verify the changes will work:

sudo apachectl configtest

Then restart the server:

sudo service apache2 restart


How to disable SSLv3 on Zimbra Collaboration Server (ZCS)

The Zimbra Wiki provides detailed instruction on how to disable SSLv3 on ZCS 8.0.x and 8.5.x:



How to disable SSLv3 on Windows Server and IIS

DigiCert provides registry files to disable SSLv3:


Alternatively, Microsoft provides steps via Group Policy to disable SSLv3:



If you require assistance with disabling SSLv3 on your infrastracture, contact Casey Labs today!


AWS Consulting

Casey Labs provides AWS consulting for growing companies, helping them to build secure server infrastructure in the cloud.

Contact us today: [email protected]