Poodle fix – Apache/IHS

Overview

POODLE  is an security vulnerability in SSLv3 discovered by Google. POODLE stands for Padding Oracle On Downgraded Legacy Encryption. All the websites supporting SSLv3 is vulnerable to POODLE, even if it also supports more recent versions of TLS. Using POODLE a hacker run Man-in-the-middle attacks attacks in your network stream and can steal secure HTTP cookies.

SSL v2 & v3 has many security flaws, and if you are working towards penetration test or PCI compliance, then you are expected to close security finding to disable SSL v2/v3.

Any SSL v2/v3 communication may be vulnerable to a Man-in-The-Middle attack that could allow data tampering or disclosure.

Let’s implement apache web server to accept only latest TLS and reject SSL v2/v3 connection request.

Implementation

  • Go to $Web_Server/conf folder
  • Modify SSLProtocol directive in httpd-ssl.conf as below to accept only TLS 1.0+

SSLProtocol –ALL +TLSv1 +TLSv1.1 +TLSv1.2

Restart Webserver.