Poodlebleed SSL3 bug solution
Poodlebleed is an bug in SSL3 protocol.My website was also vulnerable to this bug.So today morning I fixed the vulnerability and thought of sharing the solution.Note this vulnerability is also applicable to Apache Web Server or other Web servers as well.But in this post I will cover only Nginx web server.
I have written separate post on Nginx configuration for SSL.So I will not be covering detailed Nginx configuration in this post.
To secure your Nginx server from Poodlebleed SSL3 bug follow below steps
- Step 1:
By default on Debian based system Nginx configuration files are located in /etc/nginx directory.If it differs on your installation then change your directory to Nginx configuration directory.We need to edit every file located in sites-available directory located inside /etc/nginx.
- Step 2:
Open the files in this directory one by one.I am assuming you have default file in it.Open the file using any text editor of your preference.I use nano for it.
- Step 3:
Search for below line in the file.
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
Now delete SSLv3 from above line.So the final line will look like
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
This is the only change I made in my configuration file.The rest of the configuration remained the same.Now it is time to check whether site has Poodlebleed problem or not.There are couple of tools for this.I tested above configuration with both the tools and found it working.
Validating Nginx configuration
Using Poodlebleed site
Poodlebleed site gives you information about Poodlebleed SSL3 bug.You can also test whether your site is susceptible to this bug.At the bottom of the page you will see two text boxes.One to enter your domain name and second to enter the port.By default for SSL the port is 443.
I tested my configuration with above change using the tool and it worked great.You should also get below message
The server at udinra.com does not accept SSL 3.0 connections and thus is not vulnerable to Poodlebleed. Additionally, a non-SSL 3.0 connection was successfully established.
Using Qualys site
This test provides more detailed report then first one.It can be used to test your SSL configuration as well.So it is better to test your configuration with it as well.
Ideally your SSL configuration should get A+ rating.If it is below that then there is scope of improvement.I tested my SSL configuration using the tool.Below image shows the test result.In this test you should look for below messages to make sure your server is not susceptible to Poodlebleed
This server is not vulnerable to the POODLE attack because it doesn’t support SSL 3
This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks.
Impact on SSL certificate
It is worth mentioning here that Poodlebleed does not impact your SSL certificate.So there is no need to worry on that front.The above solution takes care of it all.Below is the excerpt of correspondence from NameCheap.Note I am their user at the moment.I am using their SSL certificate.So it is good to have the information shared from their side.
With the recent discovery of the the “Poodle” vulnerability, we’re writing today to inform you about how it may affect you, as a user of our SSL certificates and/or API.
First of all, this vulnerability does not affect SSL certificates themselves. It impacts SSL protocol functionality. There is no need to reissue and revoke your current certificates. The Poodle vulnerability affects servers running SSL 3.0. It centers on cipher block chaining (CBC) encryption implementations that can allow attackers with a Man-in-the-Middle (MITM) position to view the content of an encrypted transmission.
The above change will impact some of your website viewers.Visitors using old browsers like Internet Explorer 6 might face issues connecting to your website.So by disabling SSL3 support you are losing visitors using old browsers.Modern browsers still support SSL3 but if other protocols like TLS not available then it is used.
The percentage of visitors using this site with old browsers is very small.So it was not a tough decision for me to completely shut down SSL3 support.You can watch traffic pattern for your website using Google Analytics before making the decision.
Consider sharing the post in case you found this useful.