How to remove SSLv3 support?

D

Dmitry2015-03-09 17:45:43

Nginx

Dmitry, 2015-03-09 17:45:43

The SSL Server Test service shows that there is a vulnerability:

This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.

with the following nginx settings for the server

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

Team

openssl s_client -connect bpsimulator.com:443 -ssl3

Outputs that SSL3 is available via ECDHE-RSA-AES256-SHA
How to permanently get rid of SSL3 on the server?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

N

Nazar Mokrinsky, 2015-03-09
@prolis

What is your OS?
On any modern OS, Nginx has long been updated with a secure default config. Remove all three quoted parameters from the virtual host - the system ones will start to be used, which (provided that you did not change them, otherwise reinstall the package) will be safe.

P

Power, 2015-03-10
@Power

If the config says ssl_protocols TLSv1 TLSv1.1 TLSv1.2;, then ssl3 is disabled. Dot.
Most likely, you just did not reload the config ( sudo service nginx reload). And if you rebooted, then, probably, there are errors in the config and it was not applied (check:) sudo service nginx configtest.
Another option: you're checking incorrectly. Show what exactly the command outputs
openssl s_client -connect ... -ssl3