Time to disable SSLv3, or what?

SSLv3 POODLE vulnerability: Learn how to disable SSLv3 (and SSLv2) in Internet Explorer, Mozilla Firefox, Google Chrome and on server platforms like Apache, Nginx and Windows Server IIS. Here is how to disable SSLv3!

We’ve all heard, or read about, the SSLv3 flaw rumours spreading. Microsoft is supposed to release the details this week. Do we need to disable SSLv3?

Most modern browsers support the TLS 1.1 and TLS 1.2 protocols. We are taking disabling SSLv3 in our various server configurations into consideration. Due to Patch Tuesday (today!) a descision has to be made soon, all other updates are planned and ready for our environment.

Disable SSL protocols: client side #

how to disable SSLv2 and SSLv3 in Internet Explorer, Google Chrome and Mozilla Firefox

If you want to be sure your browser supports only safe SSL versions you can disable other versions you don’t want to use. Your browser then stops sending those versions in the TLS handshake. Note: you may be unable to visit some websites if you follow these steps!

Internet Explorer #

To disable SSLv2 and SSLv3 in Internet Explorer:

  1. go to Internet Options
  2. go to the tab Advanced
  3. deselect Use SSL 2.0
  4. deselect Use SSL 3.0

Note: different versions of Internet Explorer support different TLS versions, see MSDN blog post Support for SSL/TLS protocols on Windows.

I thought you might find this interesting:   Encrypt email with PGP - GnuPG

Internet Explorer through Group Policy #

How to disable SSL 2.0 and SSL 3.0 through Group Policy.

  • Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Explorer Control Panel > Advanced Page > Turn Off Encryption Support:
  • select the appropriate Secure Protocol combinations (Use TLS 1.0, TLS 1.1, and TLS 1.2) from the drop down menu

Mozilla Firefox #

In Mozilla Firefox you disable SSLv2 and SSLv3 through the about:config configuration settings. Look up the keys security.tls.version.min and security.tls.version.max and set this to your desired values. Values may be:

  • 0 : SSL 3.0
  • 1: TLS 1.0
  • 2: TLS 1.1
  • 3: TLS 1.2

mozillaZine Security.tls.version.* reference. Verify with Qualys SSL Labs SSL/TLS Capabilities of Your Browser. If setting security.tls.version.min and security.tls.version.max versions isn’t enough you can install the SSL Version Control plugin. This plugin is created by Mozilla.

Google Chrome #

Due to a bug in the Chrome UI you have to specify a command line parameter for the chrome.exe command (shortcut):
--ssl-version-max – Specifies the maximum SSL/TLS version (“ssl3”, “tls1”, “tls1.1”, or “tls1.2”)
--ssl-version-min – Specifies the minimum SSL/TLS version (“ssl3”, “tls1”, “tls1.1”, or “tls1.2”)

Your shortcut command would become:

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --ssl-version-min=tls1 --ssl-version-max=tls1.2

Disable insecure ciphers in your browser too

While you’re busy with setting your browser’s security settings, disable TLS/SSL RC4 in Firefox and Chrome too.

Disable SSL protocols: server side #

How to disable certain SSL protocols on the server side; IIS, Apache, Nginx

Windows Server – Internet Information Services (IIS) #

2003 / 2008 (R2) / 2012 (R2)

Microsoft knowledge base article 187498 describes the necessary registry settings to disable SSL protocols such as PCT 1.0, SSL 2.0, SSL 3.0 and TLS 1.0.

I thought you might find this interesting:   SSL in WordPress: how to move WordPress to HTTPS? The definitive guide

This information is stored in the following registry key:


The subkeys holds information about the protocol for the key. Any one of these protocols can be disabled at the server. To do this, use regedit, and locate the following registry key:

  1. HKLM\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\[SSL-version]\Server
  2. On the Edit menu, click Add Value
  3. In the Data Type list, click DWORD
  4. In the Value Name box, type Enabled, and then click OK
    Note If this value is present, double-click the value to edit its current value
  5. Type 00000000 in Binary Editor to set the value of the new key equal to “0”.
  6. Click OK. Restart the computer.

It’s always unfortunate when you have to restart your server…

Disable SSL in Windows Server IIS using reg.exe
Disable SSLv2/SSLv3 in Windows Server IIS using the command line reg.exe too. Using the reg.exe command, you can easily disable SSLv2 and SSLv3 on Windows Server IIS. Use the following commands:

rem -- SSLv2
reg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /v Enabled /t REG_DWORD /d 0x00000000

rem -- SSLv3
reg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /v Enabled /t REG_DWORD /d 0x00000000

Disable SSLv3 in nginx #

Modify the ssl_protocols directive to disable SSLv3, and to only use TLSv1, TLSv1.1, and TLSv1.2. If you do not have a ssl_protocols directive, add it to the top of your configuration file.

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Disable SSLv3 in Apache #

The SSL configuration file changed slightly in httpd version 2.2.23. For httpd version 2.2.23 and newer, specify TLSv1, TLSv1.1, and TLSv1.2.

SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2

For httpd version 2.2.22 and older, only specify TLSv1. This is treated as a wildcard for all TLS versions.

SSLProtocol TLSv1

(thank you zmap.io for the Nginx and Apache config)

I thought you might find this interesting:   How to enable HTTP Strict-Transport-Security (HSTS) on IIS

More on SSLv3 POODLE #

More information on the POODLE attack is found online at zmap.io, and Dutch security firm Fox-IT keeps a live blog on SSLv3 protocol vulnerability ‘POODLE’.

Be sure to also read how POODLE happend.

Update 1: Last night Google announced the discovery of a protocol vulnerability in SSLv3. This vulnerability allows an attacker to read contents of connections secured by SSLv3. The vulnerability is called a ‘POODLE‘ (Padding Oracle On Downgraded Legacy Encryption) attack. Microsoft too released their Microsoft Security Advisory 3009008.

Please Support Saotn.org

Each post on Sysadmins of the North takes a significant amount of time to research, write, and edit. Therefore, your donation helps a lot! For example, a donation of $3 U.S. buys me a cup of coffee, and as you know: things jsut work better with coffee. A $10 U.S. donation buys me one month of web hosting (yes, hosting costs money). But seriously, thank you for any amount. Much appreciated!

Please donate to support this site if you found a post interesting or if it helped you solve a problem. Thanks! (Tip: no Paypal account required)

If you appreciated this post, then please donate using this Paypal button

Jan Reilink

My name is Jan. I am not a hacker, coder, developer, programmer or guru. I am merely a system administrator, doing my daily thing at Vevida in the Netherlands. With over 15 years of experience, my specialties include Windows Server, IIS, Linux (CentOS, Debian), security, PHP, websites & optimization.

Leave a Reply

Be the First to Comment!

Hi! Join the discussion, leave a reply!