Disabling SSLv3 for CVE­-2014­-3566 ("POODLE")


This article applies to:

  • NAC 4.0.6 and below
  • NAC CM 4.1.x
  • Note: This issue has been resolved for releases 4.0.7 and 4.2 and greater.

Question:

  • How can I disable SSLv3 to remove the vulnerability CVE­-2014­-3566 (known as "POODLE")

Answer:

This vulnerability exposes a flaw in SSLv3, used for HTTPS communication to web sites. To remove this vulnerability on Trustwave NAC Appliances you must disable SSLv3. This article provides the instructions to fully disable this service on a currently installed system.

Disabling SSLv3 will also disable the support for IE6.

  • Note: This issue has been resolved for releases 4.0.7 and 4.2 and greater.

Patch the CM

In order to turn off SSLv3 edit the file  /etc/httpd/conf.d/httpd-ssl.conf

Change the line:

    [~]# SSLProtocol all -SSLv2

To:

    [~]# SSLProtocol all -SSLv2 -SSLv3

Then restart httpd

    [~]# service httpd restart

If you have not set up a portal yet.

If you have not set up a portal yet or might create a new portal, on each Sensor in your deployment you should also edit the file /usr/dist/config/httpd/conf.d/template_head.conf

Changing this file will ensure that all new portals turn off SSLv3.

Change the following line:


     # SSLProtocol all -SSLv2

To:

     # SSLProtocol all -SSLv2 -SSLv3

Trustwave recommends that you change this file even if you have already created a portal. This will ensure that if a portal is recreated you will not introduce this issue.

Test the service

To test if the http server answers SSLv3 queries you can use the following command (replace the IP address with the address of the system you are connecting to):

# openssl s_client -connect 10.50.9.218:443 -ssl3 

If you run this command on a NAC system where SSLv3 has been disabled this is an example of the command output:

# openssl s_client -connect 70.113.205.58:443 -ssl3
CONNECTED(00000003)
17331:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1052:SSL alert number 40
17331:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:529:
#

 

For comparison, this is an example of a successful SSLv3 command output:


# openssl s_client -connect 10.50.9.218:443 -ssl3
CONNECTED(00000003)
depth=0 /C=US/ST=Texas/L=Austin/O=Trustwave/OU=IT/CN=cm.tw.com/emailAddress=nacsupport@trustwave.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=Texas/L=Austin/O=Trustwave/OU=IT/CN=cm.tw.com/emailAddress=nacsupport@trustwave.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=Texas/L=Austin/O=Trustwave/OU=IT/CN=cm.tw.com/emailAddress=nacsupport@trustwave.com
i:/C=US/ST=Texas/L=Austin/O=Trustwave/OU=IT/CN=cm.tw.com/emailAddress=nacsupport@trustwave.com
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/C=US/ST=Texas/L=Austin/O=Trustwave/OU=IT/CN=cm.tw.com/emailAddress=nacsupport@trustwave.com
issuer=/C=US/ST=Texas/L=Austin/O=Trustwave/OU=IT/CN=cm.tw.com/emailAddress=nacsupport@trustwave.com
---
No client certificate CA names sent
---
SSL handshake has read 1094 bytes and written 308 bytes ---
New, TLSv1/SSLv3, Cipher is EXP1024-RC4-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : SSLv3
Cipher : EXP1024-RC4-SHA
Session-ID: ...
Session-ID-ctx:
Master-Key: ...
Key-Arg : None
Krb5 Principal: None
Start Time: 1413357374
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)

Notes:

  • If you encounter any issues that are not included in these instructions, please contact Trustwave Support. Be prepared to state the Trustwave NAC Version, and to provide evidence of the testing done and data gathered.


Last Modified 10/20/2014.
https://support.trustwave.com/kb/KnowledgebaseArticle20003.aspx