Disabling SSLv3

With POODLE the time has come to disable SSLv3 everywhere. There will be clients that break and need fixing but it needs doing. You can read more details and background on the vulnerability.

Here’s a few useful snippets from my experience with it this week:


Make sure the combination you have for the SSLProtocol line disables SSLv2 and v3 - something like: SSLProtocol All -SSLv2 -SSLv3


Ensure your crypto profiles have SSLv2 and v3 disabled in the options line:

[code lang=text] switch co crypto profile option-string OpenSSL-default+Disable-SSLv2+Disable-SSLv3 exit exit write mem [/code]


If you have problems with handshakes from Java client process force the protocols to use with -Dhttps.protocols=TLSv1


Make sure the ssl_protocols line in your SSL configuration doesn’t have SSLv3 in it. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;


Make sure you don’t have secureProtocol:SSLv3_method anywhere in https options - use TLSv1_method instead if it’s really needed.


See Security bulletin