The Padding Oracle On Downgraded Legacy Encryption (POODLE) vulnerability has been making headlines since September 2014. There are a few options for mitigating the risk, but our infrastructure team has found that not all organizations are able and willing to implement them. Disabling SSLv3 entirely can cut users off from secure websites they rely on, and Google’s TLS_FALLBACK_SCSV mechanism requires support from the web browser, and has not been implemented server-side by all distributions, especially on older and unsupported versions. Further, TLS_FALLBACK_SCSV does not address the issue of SSLv3 support itself, rather it prevents devices which support TLS from downgrading connections to SSLv3. It does not help in cases where the browser is Internet Explorer Versions 1 through 6 (although Internet Explorer versions 4 through 6 can be configured to enable TLS.)
A more elegant solution is not to block SSLv3, but to instead warn users that their current browser is vulnerable to known attacks and instruct them on how to upgrade. With Apache2 and mod_rewrite, it is possible to redirect SSLv3 connections to such a warning page and advise users of the issue and how to resolve it. Here are the steps to do so:
- Prepare or find an explanation page you wish to redirect insecure SSL sessions to and note the URL.
- If you run a reverse proxy, load balancer, or other session layer device between your apache server(s) and the Internet, please be aware that those devices may be vulnerable to POODLE even though they support TLS: http://www.computerworld.com.au/article/561828/poodle-flaw-returns-time-hitting-tls-security-protocol/
To be sure that your entire chain of TLS implementations is secure, temporarily disable SSLv3 in apache2 and head over to SSL Labs to test your site. If your TLS chain is vulnerable you should receive a grade of “F” with a warning (emphasis ours:) “This server is vulnerable to the POODLE attack against TLS servers.” If you receive this warning, you should contact your vendors and request patches. - Make sure that Apache2’s mod_rewrite has been installed on your system. Apache2 runs on a variety of architectures and operating systems, so installing individual Apache2 modules is beyond the scope of this article.
- Make sure that Apache2’s mod_rewrite is enabled. To do this, run the following as root/administrator:
a2enmod rewrite - Add the following lines, without the line numbers, to your Apache2 HTTPS site configurations, changing http://yourwebsite.com/yourexplanationpage.html to the explanation page you wish to redirect users to:
- #POODLE REDIRECT CONFIG–
- SSLOptions +StdEnvVars
- RewriteEngine On
- RewriteCond %{ENV:SSL_PROTOCOL} ^SSLv[2-3]$ [NC]
- RewriteRule ^.*$ http://yourwebsite.com/yourexplanationpage.html
- #END POODLE REDIRECT CONFIG–
- If you have disabled SSLv3 already, undo the configuration disabling it.
- Restart Apache2
- Now test, test, and then test some more! You can use Firefox and enable/disable SSLv3. To force an SSLv3 connection set both security.tls.version.min & security.tls.version.max to 0. To disable SSLv3 in Firefox set security.tls.version.min to 1 or higher and set security.tls.version.max greater than or equal to security.tls.version.min
Edgewater Blog 