# SSL vulnerability CVE-2014-3566



## drmike (Oct 16, 2014)

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566

Overview
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.


----------



## drmike (Oct 16, 2014)

DigitalOcean just emailed a more in depth page for humans:

https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-poodle-sslv3-vulnerability


----------



## splitice (Oct 16, 2014)

Unfortunately SSLv3 is the highest version of SSL supported in IE6. So by doing this you either restrict your site to IE7 or greater or do not provide SSL for IE6. In my books some SSL is better than no SSL even if said SSL is weakened due to this attack vector.

The best things to do:

- Upgrade your OpenSSL version to 1.0.1j, this prevent MITM connection downgrade attack vector (if the client supports it) on modern browsers.

- On nginx: Check $ssl_protocol == "SSLv3" and the useragent not regex:"MSIE [4-6]\.", display error in such a case


----------



## splitice (Oct 16, 2014)

Just a quick update, heres some nginx config to do what I mentioned. I havent tested this as we are doing this in a different manner, but it should work.


```
if ($ssl_protocol = "SSLv3") {
        set $SSL_POODLE "2";
}
if ($http_user_agent !~ "MSIE [4-6]\.") {
        set $SSL_POODLE "1$SSL_POODLE";
}
if ($SSL_POODLE = "12") {
        return 481;
}
```


----------



## wlanboy (Oct 20, 2014)

Edit lighttpd config:


nano /etc/lighttpd/lighttpd.conf

add:


```
ssl.use-sslv2          = "disable"
ssl.use-sslv3          = "disable"
```


----------

