SSLv3 POODLE vulnerability: Learn how to disable SSLv3 (and SSLv2) in Internet Explorer, Mozilla Firefox, Google Chrome and on server platforms like Apache, Nginx and Windows Server IIS. Here is how to do that!
Most modern browsers support the TLS 1.1 and TLS 1.2 protocols. We are taking disabling SSLv3 in our various server configurations into consideration. Due to Patch Tuesday (today!) a descision has to be made soon, all other updates are planned and ready for our environment.
how to disable SSLv2 and SSLv3 in Internet Explorer, Google Chrome and Mozilla Firefox
If you want to be sure your browser supports only safe SSL versions you can disable other versions you don’t want to use. Your browser then stops sending those versions in the TLS handshake. Note: you may be unable to visit some websites if you follow these steps!
To disable SSLv2 and SSLv3 in Internet Explorer:
Note: different versions of Internet Explorer support different TLS versions, see MSDN blog post Support for SSL/TLS protocols on Windows.
How to disable SSL 2.0 and SSL 3.0 through Group Policy.
In Mozilla Firefox you disable SSLv2 and SSLv3 through the
about:config configuration settings. Look up the keys security.tls.version.min and security.tls.version.max and set this to your desired values. Values may be:
mozillaZine Security.tls.version.* reference. Verify with Qualys SSL Labs SSL/TLS Capabilities of Your Browser. If setting security.tls.version.min and security.tls.version.max versions isn’t enough you can install the SSL Version Control plugin. This plugin is created by Mozilla.
Due to a bug in the Chrome UI you have to specify a command line parameter for the chrome.exe command (shortcut):
--ssl-version-max – Specifies the maximum SSL/TLS version (“ssl3”, “tls1”, “tls1.1”, or “tls1.2”)
--ssl-version-min – Specifies the minimum SSL/TLS version (“ssl3”, “tls1”, “tls1.1”, or “tls1.2”)
Your shortcut command would become:
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --ssl-version-min=tls1 --ssl-version-max=tls1.2
While you’re busy with setting your browser’s security settings, disable TLS/SSL RC4 in Firefox and Chrome too.
How to disable certain SSL protocols on the server side; IIS, Apache, Nginx
2003 / 2008 (R2) / 2012 (R2)
Microsoft knowledge base article 187498 describes the necessary registry settings to disable SSL protocols such as PCT 1.0, SSL 2.0, SSL 3.0 and TLS 1.0. This information is stored in the following registry key:
The subkeys holds information about the protocol for the key. Any one of these protocols can be disabled at the server. To do this, use regedit, and locate the following registry key:
It’s always unfortunate when you have to restart your server…
Disable SSLv2/SSLv3 in Windows Server IIS using the command line
reg.exe too. Using the
reg.exe command, you can easily disable SSLv2 and SSLv3 on Windows Server IIS. Use the following commands:
rem -- SSLv2 reg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /v Enabled /t REG_DWORD /d 0x00000000 rem -- SSLv3 reg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /v Enabled /t REG_DWORD /d 0x00000000
ssl_protocols directive to disable SSLv3, and to only use TLSv1, TLSv1.1, and TLSv1.2. If you do not have a
ssl_protocols directive, add it to the top of your configuration file.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
The SSL configuration file changed slightly in httpd version 2.2.23. For httpd version 2.2.23 and newer, specify TLSv1, TLSv1.1, and TLSv1.2.
SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
For httpd version 2.2.22 and older, only specify TLSv1. This is treated as a wildcard for all TLS versions.
(thank you zmap.io for the Nginx and Apache config)
Be sure to also read how POODLE happend.
My name is Jan. I am not a hacker, coder, developer, programmer or guru. I am merely a system administrator, doing my daily thing at Vevida in the Netherlands. With over 10 years of experience, my specialties include Windows Server, IIS, Linux (CentOS, Debian), security, PHP, websites & optimization.
SSL in WordPress, How To Move Your WordPress Site to HTTPS? The Definitive Guide
Load Transposh Translation Filter over HTTPS
TLS: Test SMTP AUTH PLAIN authentication and verify StartTLS connections
Information about HeartBleed and IIS
Fix "Could not establish trust relationship for the SSL/TLS secure channel" error
Don’t turn off CURLOPT_SSL_VERIFYPEER, fix your PHP configuration