In our previous blog post, we gave a quick overview of the ‘POODLE’ SSLv3.0 vulnerability, followed by tips for mitigating the risks on client applications. In this post, we will focus our attention on server side strategies.
For servers using SSL, there is only one sure-fire fix; disable SSL in favour of TLS. Aside from the obvious and pressing concerns regarding the protection of user data, here’s another point for sysadmins to bear in mind. Several application developers have already indicated that they will be disabling SSLv3.0 support in the coming months. So if you’re running a server, best make sure you’re ready well in advance.
Isn’t Turning Off SSL Going to Cause Problems?
Yes, it probably is. Depending on your user base and their connection habits, this may be more or less of an issue. Consider your situation, plan, run tests, inform your users, do whatever it is you need to do. But do not ignore the problem, it isn’t going away.
Do I Need to Turn Off SSLv2 Too?
Yes. While POODLE does not target SSLv2, it has been considered insecure for several years. So if you’re still supporting it, now is a good time to switch it off.
Is Turning Off SSL All I Need To Do?
Possibly not, but it’s a good start. In addition, it would be wise to review the cipher suites you choose to support. TLS (and SSL) use asymmetric, public-key cryptography during the handshake process. This allows the client to verify the identity of, and communicate securely with, a server that they have not previously connected to.
As useful as asymmetric encryption is, it’s also far more resource-intensive than symmetric encryption using a pre-shared key. TLS and SSL neatly sidestep this issue by using asymmetric encryption to securely share a symmetric key, which is then used to encrypt the rest of the traffic for the session.
TLS and SSL can be configured to use a range of cipher suites for the symmetric portion of the transfer, and some are safer than others. Check out the ones you’re using, and see if they’re still up to scratch.
Without Further Ado, Here’s Our Roundup of Server Side Tips
To disable SSL versions 2 and 3, modify the SSLProtocol line in the apache config file to read:
SSLProtocol all –SSLv2 –SSLv3
To alter the supported cipher suites, modify the SSLCipherSuite line in the SSL config. The available ciphers are grouped, but specific ciphers may be excluded using the ! operator. For example:
More useful information about the groups (HIGH in this example) can be ascertained using the following command:
openssl ciphers –v ‘HIGH’
SSL/TLS support is defined in the following registry key:
This will contain subkeys for each protocol version. To disable support for a protocol, set the DWORD value to 00000000.
The Microsoft Howto can be found here.
Update any instances of the directive ‘ssl_protocols’ in the NGINX configuration to read:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Don’t forget to update the http and mail config blocks in the nginx.conf configuration files to change the default behavior. Finally, restart NGINX.
NGINX’s POODLE advice and howto can be found here.
For network printers that provide IPP functionality over SSL, you may need to wait for a patch from the manufacturer (assuming they still support your model). In the meantime, firewalling the printer is a good start; also consider allowing access to VPN users if remote printing is a requirement.
You may also wish to consider the sensitivity of the material being sent to the printer. If your users mainly print confidential documents, perhaps it’s time to get into the market for a new printer (that supports TLS). As always, it’s about weighing up the risk.
Cisco are reviewing their product range and will be releasing patches as necessary, their advisory can be found here.
HP are also conducting a review of their product range, and will be updating this page with information as it becomes available.
That’s All For Now
We hope this information has been helpful, and that you now feel better equipped to eradicate SSL support from your systems. We appreciate that there might be some pain to go through yet, but it’s certainly time to let this venerable old protocol slip into the history books.