OVH Guide

How to fix SSLv3 POODLE vulnerability in Nginx and Apache on Ubuntu 14.04.1

security

Introduction:

The recently published Poodle attack by Google forces a relapse of an encrypted connection to the long outdated SSLv3 protocol. For reasons of compatibility, almost all browsers still support this outdated protocol. This old protocol isn't really needed anymore. Hence the best protection is: just to turn it off. The worst that can happen is, that older browsers can't establish an encrypted connections, but this does only come into existence in individual cases. This certainly applies to the Internet Explorer 6, which is only rarely used. And who still uses the monster from time immemorial, has to contend with a lot of other problems. Web servers should actually support at least TLS 1.0.

How to disable SSLv3 on Nginx:

1) Find all virtualhost configuration files which use of the “ssl_protocols” directive:

$ grep -R "ssl_protocols" /etc/nginx/sites-*

2) Edit each file which we found in Step 1) that has the “ssl_protocols” directive:

$ sudo nano /etc/nginx/sites-available/default

3) Now find the following line:

ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;

4) And remove the option "SSLv3" so that the line will look like this:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

5) In order to make the change effective restart Nginx:

$ sudo service nginx reload

How to disable SSLv3 on Apache:

1) Edit Apache's SSL configuration:

$ sudo nano /etc/apache2/mods-enabled/ssl.conf

2) Find the following line:

SSLProtocol all -SSLv2

3) And add the option "-SSLv3" so that the line will look like this:

SSLProtocol all -SSLv2 -SSLv3

4) In order to make the change effective restart Apache:

$ sudo service apache2 restart