Skip to content

The poodle bites the web

Heartbleed is not even cold in its grave and here comes another SSL vulnerability: Poodle.
You can read more about it here and there, tl;dr it exploits a weakness in SSLv3 to allow MITM attacks:
https://www.imperialviolet.org/2014/10/14/poodle.html (local copy)
http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploiting-ssl-30.html
http://security.stackexchange.com/questions/70719/ssl3-poodle-vulnerability

To fix this in Apache HTTPD edit your ssl configuration file (eg /etc/httpd/conf.d/ssl.conf in CentOS) to have this SSLProtocol line:
SSLProtocol all -SSLv2 -SSLv3
If you're running CPanel there's more you need to do:
- go in "Home » Service Configuration » cPanel Web Services Configuration" and add ":-SSLv3"
- go in "Home »Service Configuration »Apache Configuration»Include Editor", add the following in "Pre Main Include":
SSLProtocol All -SSLv2 -SSLv3
- be warned than on older CPanel installations (CentOS 5), removing SSLv3 (:-SSLV3) from the cipher list might cause Apache not to start at all.


- If you are running Webmin/Virtualmin:
echo ssl_version=10 >> /etc/webmin/miniserv.conf
service webmin restart
- also be warned that these changes may affect some older browsers, such as IE6, test before you change.