A vulnerability in SSLv3 was announced last night:

POODLE: SSLv3 vulnerability (CVE-2014-3566)

Long story short, SSLv3 allows man-in-the-middle attacks. SSLv3 is now considered unsafe, and the recommendation by vendors is to disable SSLv3 from all services.

How to disable SSLv3 on Amazon Elastic Load Balancers (ELB)

Newly created load balancers will no longer support SSLv3 by default. For existing load balancers:

1) Go to the AWS Management Console.
2) Browse¬†to EC2 –> Load Balancers.
3) Select your load balancer.
4) Click on the Listeners tab. Under the “Cipher” column, click “Change” .
5) In the pop-up window, select “Predefined Security Policy”.
6) Select “ELBSecurityPolicy-2014-10”, then click Save.
7) Repeat these steps for every other ELB.

 

How to disable SSLv3 on Nginx

Edit your Nginx configuration file. For example:

sudo nano /etc/nginx/nginx.conf

And add/replace these SSL config lines, as recommended by CloudFlare:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:EECDH+RC4:RSA+RC4:!MD5;
ssl_prefer_server_ciphers on;

 

How to disable SSLv3 on Apache

Edit your Apache configuration file. For example:

nano /etc/apache2/httpd.conf

And add these lines:

SSLProtocol All -SSLv2 -SSLv3

Save the file, then verify the changes will work:

sudo apachectl configtest

Then restart the server:

sudo service apache2 restart

 

How to disable SSLv3 on Zimbra Collaboration Server (ZCS)

The Zimbra Wiki provides detailed instruction on how to disable SSLv3 on ZCS 8.0.x and 8.5.x:

https://wiki.zimbra.com/wiki/How_to_disable_SSLv3

 

How to disable SSLv3 on Windows Server and IIS

DigiCert provides registry files to disable SSLv3:

https://www.digicert.com/ssl-support/iis-disabling-ssl-v3.htm

Alternatively, Microsoft provides steps via Group Policy to disable SSLv3:

https://technet.microsoft.com/en-us/library/security/3009008.aspx

 

If you require assistance with disabling SSLv3 on your infrastracture, contact Casey Labs today!