Fix for Poodle – SSL 3.0 Vulnerability

Another security vulnerability came to light today, on SSL this time.

What: POODLE attack (Padding Oracle On Downgraded Legacy  Encryption) will allow stealing “secure” HTTP cookies (or other bearer  tokens such as HTTP Authorization header contents).
Test: If the below command succeeds it means that this vulnerability exists.

$ curl -v3 -X HEAD “”

Details : For more details read the security advisory at

Fix: If SSLv3 is already disabled on the server side then nothing needs to be done else disabling the SSL 3.0 protocol in the client or in the server (or both) will completely avoid it. Since we cant control clients this means fixing it on the server side is the guaranteed fix. Also no modern browsers or mobile devices need SSLv3 – not even IE 8 on Windows XP.



On an Ubuntu system with openssl 1.0.1f to disable SSLv3 on server side modify the entry “SSLProtocol all” in ssl.conf (under apache’s mods-available directory) to “SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2”

$ openssl version
OpenSSL 1.0.1f 6 Jan 2014
$ grep -nri “SSLProtocol” /etc/apache2/
/etc/apache2/mods-available/ssl.conf:64:    SSLProtocol all
# modify contents in ssl.conf
$ sudo vi /etc/apache2/mods-available/ssl.conf
[sudo] password for sandeep:
$ grep -nri “SSLProtocol” /etc/apache2/
/etc/apache2/mods-available/ssl.conf:64:    SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
$ sudo service apache2 restart
Proudly powered by WordPress | Theme: Outfit Blog by Crimson Themes.