POODLE: SSLv3 vulnerability (CVE-2014-3566)

[nimhengnrs]

1.Linux Distribution and version? Red Hat Enterprise Linux 6.6
2.32 or 64bit? 64bit
3.VMware Image or Manual Install of XI? Manual install
4.Are there special configurations on your system, ie; is Gnome installed? Are you using a proxy? Are you using SSL? Using SSL

I wanted to know if the version of SSL that Nagios uses is affected by this vulnerability that Red Hat reported last week:

https://access.redhat.com/articles/1232123

I used the Nagios document provided by the knowledgebase to configure SSL on the Web frontend titled "How to Configure SSL for Nagios XI".

http://assets.nagios.com/downloads/nagi ... s%20XI.pdf

Red Hat has a script that detects open Apache connections and sees if they are using a SSLv3. I explicitly changed the /etc/httpd/conf.d/ssl.conf file to exclude SSLv2, SSLv3 in the SSLProtocols and restarted the Apache service but the Red Hat script still says there are SSLv3 connections. How do I disable the SSLv3 protocol from being used?

[sreinhardt]

What alterations to the ssl config did you do? The -SSLv3 when specifying the ciphers allowed should be the correct change.

[nimhengnrs]

Hi Spenser

I edited line that has the phrase SSLProtocol:

Old
SSLProtocol all -SSLv2

New line
SSLProtocol -All +TLSv1 -SSLv3

And then I restarted the httpd service as root.

Here is the script Red Hat recommended to run to determine if SSLv3 is running:

#!/bin/bash
ret=$(echo Q | timeout 5 openssl s_client -connect "${1-`hostname`}:${2-443}" -ssl3 2> /dev/null)
if echo "${ret}" | grep -q 'Protocol.*SSLv3'; then
if echo "${ret}" | grep -q 'Cipher.*0000'; then
echo "SSLv3 disabled"
else
echo "SSLv3 enabled"
fi
else
echo "SSL disabled or other error"
fi
The output of this script says SSLv3 enabled. I'm next going to reboot the server to gracefully close all open processes.

[sreinhardt]

The only two lines that should make a difference are:

SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

These are exactly as I have them, and your check correctly reports SSL as off. I would suggest trying the ones I have set above and if you wish to restrict beyond that, as you have attempted with the TLS force, you may but it would be largely outside of our support realm as that gets into apache specifics.