Patch & workaround for SSLv3 Poodle vulnerability

I refer to the vulnerability described below:

Can I disable SSLv3 in browser & web servers (IIS & Apache) using method/command given in
EE link below & if so pls provide the exact steps/commands:

I recall for Heartbleed vulnerability, MS came up with workarounds (in IE & some registry) & a couple
of weeks later, released a patch for it.  Is there similar registry workaround (perhaps this was asked
in Q1 above) & will MS be releasing a patch for it?

Any RHEL 5.x/6.x & Solaris x86 Ver 10 patches?

If SSLv3 is disabled, how will web service work then?  I recall 1-2 years back, we can disable SSLv2
& one EE expert told me the browser will auto-detect & move on to use SSLv3 if it detects SSLv2
is disabled?  So if both SSLv2 & v3 are disabled, is there something else it will move to?

Will deploying host-based IPS (say TrendMicro) more likely to break the app/service (esp web service)
compared to disabling SSLv3 ?

Is SSLv3 with TLS1.0, TLS1.1 and TLS1.2 ciphers in F5 loadbalancer also affected by this vulnerability?

If we disable SSLv3 in F5 loadbalancer, what's the other alternative the F5 will use?  Assume we
rule out SSLv2 will be used.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The web runs on multiple versions and v3 is hardly used to start with, disabling v3 should have no effect
See here for how to disable or force the safe versions - depends on your server
Dave BaldwinFixer of ProblemsCommented:
If you would read the articles you posted, you would see that SSL has been replaced by TLS.  The Google article notes that SSLv3 is about 18 years old at this point.  For many servers, the Update Manager will provide a package update for OpenSSL like my Ubuntu machines received last night.  One of my hosting companies also apparently did an update last night because my SSL connection doesn't work there anymore.!
I was under the impression there is no fix, the linux updates that are happening are more a disabling of it as fallback protocol - and you should manually disable it yourself on all devices that may use it
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Yep, on Centos with the update applied and the protocol not specified on nGinx it can still use v3 as a fallback

I'll rescind my previous comment a bit, it prevents a TLS fallback to SSL
btanExec ConsultantCommented:
1. In IIS, disable in IIS via

Verify that no SSL 2.0 or SSL 3.0 ciphers are available at or the Public SSL Server Database

Disable SSLv2 and SSLv3 in your ssh apache configuration by setting:
SSLProtocol all -SSLv2 -SSLv3 Or use SSLProtocol TLSv1 TLSv1.1 TLSv1.2
Note to also set  Also use "apachectl configtest" to test your configuration and "sudo service apache restart" to Restart server

Allow support only for TLS in Nginx with the following:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Remove SSLv3 support from MySQL you need only ensure that none of the SSLv3 ciphers are in use wihtin your configuration.
As per information in this bug you can find a list of SSLv3 ciphers by simply
openssl ciphers -v 'DEFAULT' | awk '/SSLv3 Kx=(RSA|DH|DH(512))/ { print $1 }'

2. There is no "patch". It's a vulnerability in the protocol, not a bug in the implementation.
Internet Explorer users can follow the steps in Security Advisory 3009008 to disable SSL 3.0. Unlike Heartbleed, the attacker needs to have access to the network between the client and server to interfere with the handshake process.

For RHEL and Solaris, there is also a script (poodle_protector) can be found on GitHub:

The security advisory from recommended the usage of TLS_FALLBACK_SCSV mechanism to web servers, to ensure that SSL 3.0 is used only when necessary (when a legacy implementation is involved). This way, attackers can no longer force a protocol downgrade.

3.  After applying the workarounds above, Internet Explorer will fail to connect to Web servers that only support SSL up to 3.0 and don’t support TLS 1.0, TLS 1.1, and TLS 1.2.

As long as a client and service both support SSLv3, a connection can
be 'rolled back' to SSLv3, even if TLSv1 or newer is supported by the
client and service. The TLS Fallback SCSV mechanism prevents 'version rollback' attacks without impacting legacy clients however, it can only protect connections when the client and service support the mechanism. Sites that cannot disable SSLv3 immediately should enable this mechanism.

This is a vulnerability in the SSLv3 specification, not in any
particular SSL implementation. Disabling SSLv3 is the only way to
completely mitigate the vulnerability.

For (1), (2) and (3), can catch how to disable SSL 3 in various servers and browsers, head to blog post.

4. It is just another of check and can be doubled edged as in the HIPS is also another s/w piece that can be flawed and needed to patch. At least if there is a patch for OS, you are at baseline covered but appl wise you needed, more proactive checks which HIPS comes in too in case patch is still pending for appls.
Of course the HIPS must be first mitigated the threats itself. It applies for other network device and network security devices etc. Defense in depth is recommended only if the security team is proactive and response robustly so that windows of exposure is minimise in overall effort from top down.
For info, Trend Micro Deep Security has DPI rules for POODLE vulnerability e.g. 1006293 – Detected SSLv3 Request and 1006296 – Detected SSLv3 Response

5/6.  BIG-IP response. In 11.5.0, F5 made the decision to be secure by default and disable SSLv3 ciphers by default for the traffic path. Note that by default all clientssl and serverssl profiles inherit from the base profiles. If you have changed your ciphers in any of your SSL profiles, you will have to add “!SSLv3” to those profiles' cipher lists also.
BIG-IP has a management GUI that is contacted over SSL. By default, SSLv3 ciphers are enabled on all releases. This is configurable and to remove SSLv3 from 11.5.x and 11.6.x, you can disable SSLv3 via the command console e.g. "ssl-protocol "all -SSLv2""  
Also F5 release a simple iRule to stop SSLv3 connections if you are not using the BIG-IP for SSL termination.
btanExec ConsultantCommented:
I do encourage you check on the openssl vulnerability on top of the POODLE on those released in 15th October 2014 e.g. CVE-2014-3513, CVE-2014-3567 and CVE-2014-3568
sunhuxAuthor Commented:
> The security advisory from recommended the usage of
> TLS_FALLBACK_SCSV mechanism to web servers, to ensure that SSL 3.0
> is used only when necessary (when a legacy implementation is
> involved). This way, attackers can no longer force a protocol
> downgrade.

I'm interested to know the steps on how to implement the above for
IIS & Apache.  Can share the details?
sunhuxAuthor Commented:
Oh, I forgot that Openssl is only for Apache.

So can I safely say that IIS (that uses say Netrust SSL) is not affected
by this Poodle vulnerability?
It is affected, you need to remedy it with the methods above.

For Apache edit the ssl.conf
Look for SSLProtocol and amend it like so

SSLProtocol all -SSLv3 -SSLv2
btanExec ConsultantCommented:
IIS uses SSL as well, Poodle is about SSLv3 - so all services using SSLv3 is affected. The changes in Apache is stated in last posting. One means to disable for Windows Servers as a whole is as below

also note that each vendor having SSL will have already make notice such as s Entrust too..

on Protocols, and in the pop-up menu, click New > Key. Name the key, SSL 3.0.
right-click on the new SSL 3.0 key that you just created, and in the pop-up menu, click New > Key. Name the key, Client.
right-click on the new SSL 3.0 key again, and in the pop-up menu, click New > Key. Name the key, Server.

under SSL 3.0, right-click on Client, and in the pop-up menu, click New > DWORD (32-bit) Value. Name the value DisabledByDefault.
under SSL 3.0, select Client and then, in the right pane, double-click the DisabledByDefault DWORD value.
Edit DWORD (32-bit) Value window, in the Value Data box change the value to 1

under SSL 3.0, right-click on Server, and in the pop-up menu, click New > DWORD (32-bit) Value. Name the value Enabled.
under SSL 3.0, select Server and then, in the right pane, double-click the Enabled DWORD value.
Edit DWORD (32-bit) Value window, in the Value Data box leave the value at 0.

Restart your Windows server

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sunhuxAuthor Commented:
> The security advisory from recommended the usage of
> TLS_FALLBACK_SCSV mechanism to web servers, to ensure that SSL 3.0
> is used only when necessary (when a legacy implementation is
> involved). This way, attackers can no longer force a protocol
> downgrade.

Thanks Gary for sharing the change needed to implement the above for

Thanks Btan, are the steps you shared for IIS also implement the above or
it's just disabling SSLv2 & SSLv3 completely ie with no option to support
a legacy SSLv3?  Just wanted to reduce risk of breaking apps
TLS has been around for 15 years, it's highly unlikely you have anything relying purely on SSL v3 but instead using TLS.
btanExec ConsultantCommented:
the steps is for entire windows OS  which IIS also adhered to this. it is as per below for Windows server. you can surely make sure any fronting proxy to the IIS are also patched as well to disabled sslv3. Kindly do make the prior assessment.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.