POODLE: SSLv3 vulnerability (CVE-2014-3566) with Apache24 on FreeBSD-9.2

Question

I'm using FreeBSD 9.2-RELEASE-p5 with apache24-2.4.10_2 package. According to CVE-2014-3566 (POODLE), I went ahead and disabled SSLProtocol -SSLv3 following by restart of apache24 service, yet after running checks it seems like SSLv3 still enabled.

<IfModule ssl_module.c>
    SSLCipherSuite      HIGH:MEDIUM:!aNULL:!MD5
    SSLProtocol         -SSLv3
    SSLPassPhraseDialog builtin
    SSLSessionCache     "shmcb:/var/run/ssl_scache(512000)"
    SSLSessionCacheTimeout  300
</IfModule>

One of checks that I ran was this:

openssl s_client -connect <server>:<port> -ssl3

* UPDATE *

I had minor misconfiguration and after replacing <IfModule ssl_module.c> to <IfModule ssl_module>, apache24 DID accept my SSLProtocol:

[alexus@wcmisdlin02 ~]$ openssl s_client -connect j.alexus.org:443 -ssl3
CONNECTED(00000003)
139809335551816:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40
139809335551816:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1413476188
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
[alexus@wcmisdlin02 ~]$

sorry, hit enter before completing writing question( updating as we speak) — alexus, Oct 16 '14 at 15:50
You'll also need to include the output of the commands you say you ran — gparent, Oct 16 '14 at 15:51
OpenSSL version ? Did you try `SSLProtocol All -SSLv2 -SSLv3` ? Also if I'm not mistaken DHE-RSA-AES256-SHA is for TLS1.0. — Xavier Lucas, Oct 16 '14 at 16:02
Please keep the output in the question. There is no use to linking it externally, except making it harder for people to answer your question. — gparent, Oct 16 '14 at 16:04
Also, the mozilla documentation suggests to do as Xavier pointed out. — gparent, Oct 16 '14 at 16:05

gparent · Accepted Answer · 2014-10-16T16:12:04.247

4

According to Mozilla, this configuration should work:

<VirtualHost *:443>
    ...
    SSLProtocol all -SSLv2 -SSLv3
    ...
</VirtualHost>

edited Oct 16 '14 at 16:12

answered Oct 16 '14 at 16:06

gparent

3,601
2
24
28

I had small misconfiguration, I updated my question with answer) but thanks anyways! I'll accept your answer as you also included SSLv2 as well) Thanks! – alexus Oct 16 '14 at 16:21
Yeah, I think you need -SSLv2 otherwise it uses all of them. I'll bookmark this question and clean it up later so it's not confusing to other readers. I'll make sure to include both the SSL thing and the fact that you had that module thing to fix. – gparent Oct 16 '14 at 16:23
SSLv2 is also highly insecure, and I believe that the Apache config file included with FreeBSD Ports/pkgs disabled it by default a few years ago. – Stefan Lasiewski Oct 16 '14 at 16:37

score 0 · Answer 2 · answered Oct 20 '14 at 07:03

0

I used this configuration and works for me:

SSLProtocol TLSv1 TLSv1.1 TLSv1.2

You can scan your site with this tool.

answered Oct 20 '14 at 07:03

Rodrigo Moreno

243
1
2
11

POODLE: SSLv3 vulnerability (CVE-2014-3566) with Apache24 on FreeBSD-9.2

2 Answers2