SSLv3 POODLE vulnerability: Learn how to disable SSLv3 (and SSLv2) in Internet Explorer, Mozilla Firefox, Google Chrome and on server platforms like Apache, Nginx and Windows Server IIS. Here is how to do that!
Most modern browsers support the TLS 1.1 and TLS 1.2 protocols. We are taking disabling SSLv3 in our various server configurations into consideration. Due to Patch Tuesday (today!) a descision has to be made soon, all other updates are planned and ready for our environment.
Disable SSL protocols: client side
how to disable SSLv2 and SSLv3 in Internet Explorer, Google Chrome and Mozilla Firefox
If you want to be sure your browser supports only safe SSL versions you can disable other versions you don’t want to use. Your browser then stops sending those versions in the TLS handshake. Note: you may be unable to visit some websites if you follow these steps!
In Mozilla Firefox you disable SSLv2 and SSLv3 through the about:config configuration settings. Look up the keys security.tls.version.min and security.tls.version.max and set this to your desired values. Values may be:
Due to a bug in the Chrome UI you have to specify a command line parameter for the chrome.exe command (shortcut): --ssl-version-max – Specifies the maximum SSL/TLS version (“ssl3”, “tls1”, “tls1.1”, or “tls1.2”) --ssl-version-min – Specifies the minimum SSL/TLS version (“ssl3”, “tls1”, “tls1.1”, or “tls1.2”)
How to disable certain SSL protocols on the server side; IIS, Apache, Nginx
Windows Server – Internet Information Services (IIS)
2003 / 2008 (R2) / 2012 (R2)
Microsoft knowledge base article 187498 describes the necessary registry settings to disable SSL protocols such as PCT 1.0, SSL 2.0, SSL 3.0 and TLS 1.0. This information is stored in the following registry key:
: Last night Google announced the discovery of a protocol vulnerability in SSLv3. This vulnerability allows an attacker to read contents of connections secured by SSLv3. The vulnerability is called a ‘POODLE‘ (Padding Oracle On Downgraded Legacy Encryption) attack. Microsoft too released their Microsoft Security Advisory 3009008.
https://www.saotn.org/wp-content/uploads/2013/06/default-logo-saotn.nl_.png00Jan Reilinkhttps://www.saotn.org/wp-content/uploads/2013/06/default-logo-saotn.nl_.pngJan Reilink2014-10-14 16:16:072016-08-10 11:33:39Time to disable SSLv3, or what?