Sharing is Caring

Time to disable SSLv3, or what?

SSLv3 POODLE vulnerability: Learn how to disable SSLv3 (and SSLv2) in Internet Explorer, Mozilla Firefox, Google Chrome and on server platforms like Apache, Nginx and Windows Server IIS. Here is how to do that!

We’ve all heard, or read about, the SSLv3 flaw rumours spreading. Microsoft is supposed to release the details this week. Do we need to disable SSLv3?

Most modern browsers support the TLS 1.1 and TLS 1.2 protocols. We are taking disabling SSLv3 in our various server configurations into consideration. Due to Patch Tuesday (today!) a descision has to be made soon, all other updates are planned and ready for our environment.

Disable SSL protocols: client side

how to disable SSLv2 and SSLv3 in Internet Explorer, Google Chrome and Mozilla Firefox

If you want to be sure your browser supports only safe SSL versions you can disable other versions you don’t want to use. Your browser then stops sending those versions in the TLS handshake. Note: you may be unable to visit some websites if you follow these steps!

Internet Explorer

To disable SSLv2 and SSLv3 in Internet Explorer:

  1. go to Internet Options
  2. go to the tab Advanced
  3. deselect Use SSL 2.0
  4. deselect Use SSL 3.0

Note: different versions of Internet Explorer support different TLS versions, see MSDN blog post Support for SSL/TLS protocols on Windows.

Internet Explorer through Group Policy

How to disable SSL 2.0 and SSL 3.0 through Group Policy.

  • Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Explorer Control Panel > Advanced Page > Turn Off Encryption Support:
  • select the appropriate Secure Protocol combinations (Use TLS 1.0, TLS 1.1, and TLS 1.2) from the drop down menu

Mozilla Firefox

In Mozilla Firefox you disable SSLv2 and SSLv3 through the about:config configuration settings. Look up the keys security.tls.version.min and security.tls.version.max and set this to your desired values. Values may be:

  • 0: SSL 3.0
  • 1: TLS 1.0
  • 2: TLS 1.1
  • 3: TLS 1.2

mozillaZine Security.tls.version.* reference. Verify with Qualys SSL Labs SSL/TLS Capabilities of Your Browser. If setting security.tls.version.min and security.tls.version.max versions isn’t enough you can install the SSL Version Control plugin. This plugin is created by Mozilla.

Google Chrome

Due to a bug in the Chrome UI you have to specify a command line parameter for the chrome.exe command (shortcut):
--ssl-version-max – Specifies the maximum SSL/TLS version (“ssl3”, “tls1”, “tls1.1”, or “tls1.2”)
--ssl-version-min – Specifies the minimum SSL/TLS version (“ssl3”, “tls1”, “tls1.1”, or “tls1.2”)

Your shortcut command would become:

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --ssl-version-min=tls1 --ssl-version-max=tls1.2

Disable insecure ciphers in your browser too

While you’re busy with setting your browser’s security settings, disable TLS/SSL RC4 in Firefox and Chrome too.

Disable SSL protocols: server side

How to disable certain SSL protocols on the server side; IIS, Apache, Nginx

Windows Server – Internet Information Services (IIS)

2003 / 2008 (R2) / 2012 (R2)

Microsoft knowledge base article 187498 describes the necessary registry settings to disable SSL protocols such as PCT 1.0, SSL 2.0, SSL 3.0 and TLS 1.0. This information is stored in the following registry key:

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

The subkeys holds information about the protocol for the key. Any one of these protocols can be disabled at the server. To do this, use regedit, and locate the following registry key:

  1. HKLM\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\[SSL-version]\Server
  2. On the Edit menu, click Add Value
  3. In the Data Type list, click DWORD
  4. In the Value Name box, type Enabled, and then click OK
    Note If this value is present, double-click the value to edit its current value
  5. Type 00000000 in Binary Editor to set the value of the new key equal to “0”.
  6. Click OK. Restart the computer.

It’s always unfortunate when you have to restart your server…

Disable SSL in Windows Server IIS using reg.exe

Disable SSLv2/SSLv3 in Windows Server IIS using the command line reg.exe too. Using the reg.exe command, you can easily disable SSLv2 and SSLv3 on Windows Server IIS. Use the following commands:

rem -- SSLv2
reg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /v Enabled /t REG_DWORD /d 0x00000000

rem -- SSLv3
reg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /v Enabled /t REG_DWORD /d 0x00000000

Disable SSLv3 in nginx

Modify the ssl_protocols directive to disable SSLv3, and to only use TLSv1, TLSv1.1, and TLSv1.2. If you do not have a ssl_protocols directive, add it to the top of your configuration file.

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Disable SSLv3 in Apache

The SSL configuration file changed slightly in httpd version 2.2.23. For httpd version 2.2.23 and newer, specify TLSv1, TLSv1.1, and TLSv1.2.

SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2

For httpd version 2.2.22 and older, only specify TLSv1. This is treated as a wildcard for all TLS versions.

SSLProtocol TLSv1

(thank you zmap.io for the Nginx and Apache config)

More on POODLE

More information on the POODLE attack is found online at zmap.io, and Dutch security firm Fox-IT keeps a live blog on SSLv3 protocol vulnerability ‘POODLE’.

Be sure to also read how POODLE happend.

SSLv3 POODLE updates

Update 1: Last night Google announced the discovery of a protocol vulnerability in SSLv3. This vulnerability allows an attacker to read contents of connections secured by SSLv3. The vulnerability is called a ‘POODLE‘ (Padding Oracle On Downgraded Legacy Encryption) attack. Microsoft too released their Microsoft Security Advisory 3009008.


About the Author J. Reilink

My name is Jan. I am not a hacker, coder, developer, programmer or guru. I am merely a system administrator, doing my daily thing at Vevida in the Netherlands. With over 10 years of experience, my specialties include Windows Server, IIS, Linux (CentOS, Debian), security, PHP, websites & optimization.

follow me on: