SSLv3 POODLE vulnerability: Learn how to disable SSLv3 (and SSLv2) in Internet Explorer, Mozilla Firefox, Google Chrome and on server platforms like Apache, Nginx and Windows Server IIS. Here is how to do that!
Most modern browsers support the TLS 1.1 and TLS 1.2 protocols. We are taking disabling SSLv3 in our various server configurations into consideration. Due to Patch Tuesday (today!) a descision has to be made soon, all other updates are planned and ready for our environment.
- 1 Disable SSL protocols: client side #
- 2 Disable SSL protocols: server side #
- 3 More on POODLE #
- 4 SSLv3 POODLE updates #
Disable SSL protocols: client side #
how to disable SSLv2 and SSLv3 in Internet Explorer, Google Chrome and Mozilla Firefox
If you want to be sure your browser supports only safe SSL versions you can disable other versions you don’t want to use. Your browser then stops sending those versions in the TLS handshake. Note: you may be unable to visit some websites if you follow these steps!
Internet Explorer #
To disable SSLv2 and SSLv3 in Internet Explorer:
- go to Internet Options
- go to the tab Advanced
- deselect Use SSL 2.0
- deselect Use SSL 3.0
Note: different versions of Internet Explorer support different TLS versions, see MSDN blog post Support for SSL/TLS protocols on Windows.
Internet Explorer through Group Policy #
How to disable SSL 2.0 and SSL 3.0 through Group Policy.
- Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Explorer Control Panel > Advanced Page > Turn Off Encryption Support:
- select the appropriate Secure Protocol combinations (Use TLS 1.0, TLS 1.1, and TLS 1.2) from the drop down menu
Mozilla Firefox #
In Mozilla Firefox you disable SSLv2 and SSLv3 through the
about:config configuration settings. Look up the keys security.tls.version.min and security.tls.version.max and set this to your desired values. Values may be:
- 0: SSL 3.0
- 1: TLS 1.0
- 2: TLS 1.1
- 3: TLS 1.2
mozillaZine Security.tls.version.* reference. Verify with Qualys SSL Labs SSL/TLS Capabilities of Your Browser. If setting security.tls.version.min and security.tls.version.max versions isn’t enough you can install the SSL Version Control plugin. This plugin is created by Mozilla.
Google Chrome #
Due to a bug in the Chrome UI you have to specify a command line parameter for the chrome.exe command (shortcut):
--ssl-version-max – Specifies the maximum SSL/TLS version (“ssl3”, “tls1”, “tls1.1”, or “tls1.2”)
--ssl-version-min – Specifies the minimum SSL/TLS version (“ssl3”, “tls1”, “tls1.1”, or “tls1.2”)
Your shortcut command would become:
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --ssl-version-min=tls1 --ssl-version-max=tls1.2
Disable insecure ciphers in your browser too
While you’re busy with setting your browser’s security settings, disable TLS/SSL RC4 in Firefox and Chrome too.
Disable SSL protocols: server side #
How to disable certain SSL protocols on the server side; IIS, Apache, Nginx
Windows Server – Internet Information Services (IIS) #
2003 / 2008 (R2) / 2012 (R2)
Microsoft knowledge base article 187498 describes the necessary registry settings to disable SSL protocols such as PCT 1.0, SSL 2.0, SSL 3.0 and TLS 1.0. This information is stored in the following registry key:
The subkeys holds information about the protocol for the key. Any one of these protocols can be disabled at the server. To do this, use regedit, and locate the following registry key:
- HKLM\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\[SSL-version]\Server
- On the Edit menu, click Add Value
- In the Data Type list, click DWORD
- In the Value Name box, type Enabled, and then click OK
Note If this value is present, double-click the value to edit its current value
- Type 00000000 in Binary Editor to set the value of the new key equal to “0”.
- Click OK. Restart the computer.
It’s always unfortunate when you have to restart your server…
Disable SSL in Windows Server IIS using reg.exe #
Disable SSLv2/SSLv3 in Windows Server IIS using the command line
reg.exe too. Using the
reg.exe command, you can easily disable SSLv2 and SSLv3 on Windows Server IIS. Use the following commands:
rem -- SSLv2 reg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /v Enabled /t REG_DWORD /d 0x00000000 rem -- SSLv3 reg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /v Enabled /t REG_DWORD /d 0x00000000
Disable SSLv3 in nginx #
ssl_protocols directive to disable SSLv3, and to only use TLSv1, TLSv1.1, and TLSv1.2. If you do not have a
ssl_protocols directive, add it to the top of your configuration file.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Disable SSLv3 in Apache #
The SSL configuration file changed slightly in httpd version 2.2.23. For httpd version 2.2.23 and newer, specify TLSv1, TLSv1.1, and TLSv1.2.
SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
For httpd version 2.2.22 and older, only specify TLSv1. This is treated as a wildcard for all TLS versions.
(thank you zmap.io for the Nginx and Apache config)
More on POODLE #
Be sure to also read how POODLE happend.