According to The Register, a serious vulnerability in SSL v3 will be disclosed tomorrow on October 15th. Some people are recommending disabling SSL v3 in various daemons until further notice.
A vulnerability in the design of SSL version 3.0. This vulnerability allows the plaintext of secure connections to be calculated by a network attacker.
SSL 3.0 is nearly 18 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue.
Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today.
Detection (Linux)
The following script can be run against the server in question. The command will return ‘SSL 3.0 enabled’ if vulnerable and ‘SSL 3.0 disabled’ if not.
_______________
#!/bin/bash
ret=$(echo Q | timeout 5 openssl s_client -connect “${1-`hostname`}:${2-443}” -ssl3 2> /dev/null)
if echo “${ret}” | grep -q ‘Protocol.*SSLv3’; then
if echo “${ret}” | grep -q ‘Cipher.*0000’; then
echo “SSL 3.0 disabled”
else
echo “SSL 3.0 enabled”
fi
else
echo “SSL disabled or other error”
fi
_______________
NOTE: This script takes the hostname of the server to check as the first argument and an optional port as the second. By default it will check the local system, port 443.
Resolution
To avoid this vulnerability, Red Hat recommends disabling SSL and using only TLSv1.1 or TLSv1.2. Backwards compatibility can be achieved using TLSv1.0. Many products Red Hat supports have the ability to use SSLv2 or SSLv3 protocols, however it is strongly recommended against.
To mitigate this vulnerability as it affects httpd, set the SSLProtocol directive as follows in /etc/httpd/conf.d/ssl.conf:
Note: This directive must either be located at the topmost level of the configuration file, or inside the default virtual host configuration for an address.
Option 1: Disable SSLv2 and SSLv3 (Enable everything except SSLv2 and SSLv3)
SSLProtocol All -SSLv2 -SSLv3
Option 2: Disable everything except TLSv1.x
On RHEL 7 or RHEL 6.6 and later:
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
On other platforms:
SSLProtocol -All +TLSv1
Then restart httpd:
# service httpd restart
Resources:
For Microsoft
https://technet.microsoft.com/en-us/library/security/3009008.aspx
https://www.openssl.org/~bodo/ssl-poodle.pdf
http://forums.cpanel.net/f185/sslv3-vulnerability-432641.html
http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploiting-ssl-30.html
Tests
Test your web server for SSLv2
https://www.ssllabs.com/ssltest/index.html
What you are looking for is:
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No
For Nginx – there are other files to edit:
/usr/local/psa/admin/conf/templates/default/server/nginxVhosts.php /usr/local/psa/admin/conf/templates/default/nginxDomainVirtualHost.php /usr/local/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php
Rebuild after any changes
# /usr/local/psa/admin/bin/httpdmng --reconfigure-all
Other Resources:
CPanel/WHM
https://documentation.cpanel.net/display/CKB/How+to+Adjust+Cipher+Protocols
http://www.cpanelkb.net/fix-poodle-sslv3-vulnerability/
http://thecpaneladmin.com/disabling-support-for-sslv3-on-a-cpanel-server/
Plesk
http://kb.sp.parallels.com/en/123160
http://www.percona.com/blog/2014/10/15/how-to-close-poodle-sslv3-security-flaw-cve-2014-3566/
http://bobcares.com/blog/protecting-your-cpanel-whm-server-from-sslv3-poodle-vulnerability-guide-to-mitigate-cve-2014-3566-by-disabling-ssl-3-0-in-exim-apache-nginx-pure-ftp-proftpd-dovecot-and-courier-imap