20141016

Patching poddle bug in Apache

If you use HTTPS with Apache in Ubuntu or other Linux flavor it's very feasible that you have SSL v3 enabled, and then be vulnerable to the poddle bug.

To prevent Apache to use SSL v3 you can add those lines (in bold) to your typical SSL config in the Virtual host affected.

--------------------------
  SSLEngine on

  SSLProtocol All -SSLv2 -SSLv3

  SSLCertificateFile    /etc/ssl/certs/xxxx.com.crt
  SSLCertificateKeyFile /etc/ssl/private/xxxx.com.key
  SSLCACertificateFile  /etc/ssl/certs/CA.xxxx.com.crt
------------------------

And of course restart Apache!

Note: In recent versions is recomended to add this lines too, but read the full info in the link below for more info.

SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder     on
SSLCompression          off


Check very fast your configuration with this geotrust tool https://ssltools.geotrust.com/checker/views/certCheck.jsp

Or you can check all kinds of SSL problems with this Qualys great but slower tool:

https://www.ssllabs.com/ssltest/

More general information about this problem in: http://askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566


No hay comentarios: