The new Poodle vulnerability lead me to disable
SSLv3 on my Ubuntu server. I have TLS/SSL enabled on three services:
dovecot2. Each service required a different method to disable
Ubuntu uses configuration files split into small pieces. The method should apply to other distributions, although the configuration files may be arranged differently.
This was the simplest to disable. It only required a simple edit to
/etc/apache2/mods-available/ssl.conf. It simply needs the addition of
-SSLv3 to the existing
SSLProtocol all -SSLv3
If the version in
/etc/apache2/mods-enabled is not a symlink to this file you will have to edit
/etc/apache2/mods-enabled/ssl.conf or convert it to a symlink. Check the configuration to ensure you haven’t overridden it in another file.
This took a little trying. The configuration file has two options which control the relevant SSL behavior. The old
ssl_cipher_list option still works, but I found it disabled
TLS versions before
TLS1.2. The newer
ssl_protocols option worked. It appears that they default the
all option that is specified for
I keep edit local copies of the files so that distribution updates don’t break my configuration. The
ssl.conf file is located in
/etc/dovecot/conf.d. I copied this to
ssl-local.conf and edited the copy. I specified the
ssl_protocols option with both
SSLv2 disabled. This is a space separated list.
ssl_protocols = !SSLv3 !SSLv2
The Ubuntu implementation uses
gnutls rather than
openssl. The configuration options required are different than those for openssl. The
tls_require_ciphers option controls TLS/SSL. I configure this in the main section ahead of the rest of the configuration.
I use a split configuration with the main section broken out in
/etc/exim/conf.d/main. My local options are specified in
00_local_config. If you use a single configuration file add the line before the first
begin statement. Disabling SSLv3 was done by adding a new line.
tls_require_ciphers = SECURE128:-VERS-SSL3.0
If you use
openssl, this statement may work but may only enable
tls_require_ciphers = ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP
I used the
openssl s_connect utility to run my tests. I tested using versions
-ssl2 version is documented but not longer supported. The simplest tests were for the the secure protocols
imaps. (I have
ssmtp enabled for testing.) The
-quiet option shortens the output as failures are obvious. I used commands in the form.
echo | openssl s_client -quiet -connect : -<tls_flavor>
This results in commands like:
echo | openssl s_client -quiet -connect localhost:https -ssl3
-starttls connections (not applicable to
http), use commands in this form. I tested
echo | openssl s_client -quiet -connect : -starttls
This results in commands like:
echo | openssl s_client -quiet -connect localhost:smtp -starttls smtp -ssl3
This test method should be applicable to all SSL/TLS connection. The
-starttls option is documented to work with
I redirected an empty
echo command to the command to cause the connection to close immediately. For
smtp, I used
echo quit to close the connection cleanly.