A vulnerability in SSLv3 was announced last night:
Long story short, SSLv3 allows man-in-the-middle attacks. SSLv3 is now considered unsafe, and the recommendation by vendors is to disable SSLv3 from all services.
How to disable SSLv3 on Amazon Elastic Load Balancers (ELB)
Newly created load balancers will no longer support SSLv3 by default. For existing load balancers:
1) Go to the AWS Management Console.
2) Browse to EC2 –> Load Balancers.
3) Select your load balancer.
4) Click on the Listeners tab. Under the “Cipher” column, click “Change” .
5) In the pop-up window, select “Predefined Security Policy”.
6) Select “ELBSecurityPolicy-2014-10”, then click Save.
7) Repeat these steps for every other ELB.
How to disable SSLv3 on Nginx
Edit your Nginx configuration file. For example:
And add/replace these SSL config lines, as recommended by CloudFlare:
How to disable SSLv3 on Apache
Edit your Apache configuration file. For example:
And add these lines:
Save the file, then verify the changes will work:
Then restart the server:
How to disable SSLv3 on Zimbra Collaboration Server (ZCS)
The Zimbra Wiki provides detailed instruction on how to disable SSLv3 on ZCS 8.0.x and 8.5.x:
How to disable SSLv3 on Windows Server and IIS
DigiCert provides registry files to disable SSLv3:
Alternatively, Microsoft provides steps via Group Policy to disable SSLv3:
If you require assistance with disabling SSLv3 on your infrastracture, contact Casey Labs today!