{
  "$type": "site.standard.document",
  "canonicalUrl": "https://rickymoorhouse.uk/blog/2014/2014-10-18-disabling-sslv3",
  "path": "/blog/2014/2014-10-18-disabling-sslv3",
  "publishedAt": "2014-10-18T06:11:17.000Z",
  "site": "at://did:plc:r53zv4vpzeihop3aliwyejlu/site.standard.publication/3mos5q3a7jf2w",
  "tags": [
    "tech"
  ],
  "textContent": "With POODLE the time has come to disable SSLv3 everywhere. There will be clients that break and need fixing but it needs doing. You can read more details and background on the vulnerability.\n\nHere's a few useful snippets from my experience with it this week:\n\nApache\n\nMake sure the combination you have for the SSLProtocol line disables SSLv2 and v3 - something like:\nSSLProtocol All -SSLv2 -SSLv3\n\nDataPower\n\nEnsure your crypto profiles have SSLv2 and v3 disabled in the options line:\n\n[code lang=text]\n  switch <domain>\n  co \n  crypto \n  profile <profile>\n  option-string OpenSSL-default+Disable-SSLv2+Disable-SSLv3\n  exit \n  exit \n  write mem \n[/code]\n\nJava\n\nIf you have problems with handshakes from Java client process force the protocols to use with \n-Dhttps.protocols=TLSv1\n\nnginx\n\nMake sure the ssl_protocols line in your SSL configuration doesn't have SSLv3 in it.\nssl_protocols TLSv1 TLSv1.1 TLSv1.2;\n\nnodejs\n\nMake sure you don't have secureProtocol:SSLv3_method anywhere in https options - use TLSv1_method instead if it's really needed.\n\nWebsphere\n\nSee Security bulletin",
  "title": "Disabling SSLv3"
}