If you maintain a web server, the safest short-term response is to disable SSLv3 support (or disable CBC-mode ciphers in coordination with SSLv3). The protocol is more than fifteen years old and the current versions of all major web browsers have supported TLS 1.0 since 2006. It is also important to remember that many protocols other than HTTPS utilize TLS for transport security, including POP3, IMAP, SMTP, XMPP, FTP, and NNTP.
We've included instructions on how to disable SSLv3 support for the following products below.
The largest userbase that will be affected by a lack of TLS support are Internet Explorer clients using IE6 or below. It is estimated that 3.8% of all clients are still running IE6, but IE6 only represents 0.1% of US browsers. Opera began supporting TLS in version 5, and TLS support was present in Firefox 2 (and possibly earlier versions). All versions of Google Chrome support TLS. A more long-term solution is to use TLS Signaling Cipher Suite Value (SCSV).
If you have a public web server, you can test it using the Qualys SSL Server Test. You can also test private web servers and other TLS endpoints using OpenSSL by running openssl s_client -ssl -connect fqdn:port. If your server has SSLv3 disabled, you will receive a handshake error, otherwise, you'll receive the same output as when you run openssl s_client -connect fqdn:port.
Modify the ssl_protocols directive to only use TLSv1, TLSv1.1,
and TLSv1.2.
If you do not have a ssl_protocols directive, add it to the top
of your configuration file.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
The SSL configuration file changed slightly in httpd version 2.2.23. For
SSLProtocol ALL -SSLv2 -SSLv3
For httpd version 2.2.22 and older, only specify TLSv1. This is treated as a wildcard for all TLS versions.
SSLProtocol TLSv1
For Apache + mod_nss, edit /etc/httpd/conf.d/nss.conf to
allow only TLS 1.0+.
NSSProtocol TLSv1.0,TLSv1.1
Please see the write-up at digicert for how to disable SSLv3.
Thanks to gertvdijk on AskUbuntu.
Modify the smtpd_tls_mandatory_protocols configuration line.
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
Thanks to gertvdijk on AskUbuntu.
Modify the LOCAL_CONFIG section of the
sendmail.mc file.
CipherList=HIGH
ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE
ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
Thanks to gertvdijk on AskUbuntu.
For Dovecot 2.1+, edit /etc/dovecot/local.conf to add the
below lines and then restart Dovecot.
ssl_protocols = !SSLv2 !SSLv3
For Dovecot 2, edit /etc/dovecot/conf.d/10-ssl.conf to add the
below lines and then restart Dovecot.
ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL
Thanks to gertvdijk on AskUbuntu.
Edit the bind line in your /etc/haproxy.cfb
file.
bind :443 ssl crtciphers no-sslv3
Thanks to Loris Santamaria.
Modify cn=encryption,cn=configA and restart the server.
ldapmodify -x -D "cn=Directory Manager" -W <<EOF
dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL3
nsSSL3: off
Thanks to gertvdijk on AskUbuntu.
For Ubuntu 12.04, edit /etc/courier/imapd-ssl.
IMAPDSSLSTART=NO
IMAPDSTARTTLS=YES
IMAP_TLS_REQUIRED=1
TLS_PROTOCOL=TLS1
TLS_STARTTLS_PROTOCOL=TLS1
Thanks to gertvdijk on AskUbuntu.
For Lighttpd 1.4.28+, edit /etc/lighttpd/lighttpd.conf
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
On versions of Lighttpd older than < 1.4.28, there is no elegant solution to disableing SSLv4, but you can disable SSLv3 by specifically disabling SSLv3 cipher suites (in ssl.cipher-list). Allowable suites are:
ECDHE-ECDSA-CAMELLIA256-SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-CAMELLIA256-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-DSS-CAMELLIA256-SHA DHE-DSS-AES256-GCM-SHA384 DHE-DSS-AES256-SHA256 DHE-DSS-AES256-SHA DHE-RSA-CAMELLIA256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA ECDHE-ECDSA-CAMELLIA128-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA ECDHE-RSA-CAMELLIA128-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA
Apache has posted instructions on disabling SSLv3 instructions at http://wiki.apache.org/tomcat/Security/POODLE.
Add this code to your website to embed our browser SSLv3 test.
<iframe src="https://poodle.io/sslv3test.html" width="100%" frameborder="0" height="75"></iframe>
We are working to post details on how to disable SSLv3 support in additional services. If you have details on how SSLv3 support can be disabled in your product, please email us at poodle-team@umich.edu.