oneone

2014-10-15 POODLE issue with SSLv3 (CVE-2014-3566)

The POODLE issue (CVE-2014-3566) is a vulnerability in the design of SSL version 3.0. This vulnerability allows the plaintext of secure connections to be calculated by a network attacker.

All current Bitnami stacks have already disabled the SSLv3 protocol so they are not affected by this issue. To check this is the case, you should look for the following line in the Apache configuration file /opt/bitnami/apache2/conf/bitnami/bitnami.conf.

SSLProtocol all -SSLv2 -SSLv3

Detect whether your server is vulnerable

If you are running a Bitnami stack that was released earlier than 201404, you should check whether your server is vulnerable. You can run the command below from your local machine or from the server itself. Replace the DOMAIN placeholder with the domain of your server:

$ curl --sslv3 https://DOMAIN

If you get the following result, SSLv3 protocol is disabled for HTTPS:

curl: (35) error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

If you see the web page in the command line, your server allows the SSLv3 protocol for HTTPS, so you should disable it, as described in the next section.

Secure your server

Apache

The best way to secure your server is to disable the SSLv3 protocol for HTTPS URLs. Follow the steps below:

  • Edit the SSL configuration for Apache in the /opt/bitnami/apache2/conf/bitnami/bitnami.conf file and add the SSLProtocol all -SSLv2 -SSLv3 configuration option:

    Listen 443
    SSLProtocol all -SSLv2 -SSLv3
    
  • Check the Apache configuration:

    $ sudo apachectl -t
    
  • Restart the server:

    $ sudo apachectl restart
    

To check if the SSLv3 protocol has been correctly disabled, use the curl command from the previous section.

NGINX

If you are using NGINX instead of Apache, follow these steps:

  • Edit the /opt/bitnami/nginx/nginx.conf configuration file and add the ssl_protocols TLSv1 TLSv1.1 TLSv1.2; directive in the default http section:

    http {
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ...
    

To check if the SSLv3 protocol has been correctly disabled, use the curl command from the previous section.