Theodore Baschak

BOFH. Open Source Guru. Founder/Operator of Hextet Systems, AS395089 and Network Architect for Daemon Defense Systems, AS55101.

SSLv3 Disabled

Thu, 16 Oct 2014 09:29:53 -0500 » Security, SSL, Networking, Programming, System Administration, Network Monitoring

In response to the recent POODLE vulnerability in SSLv3, I have disabled SSLv3 support in anything of mine which speaks SSL/TLS. All connections are running TLSv1.0, TLSv1.1, or TLSv1.2 now. I have also reviewed the list of ciphers in the mozilla wiki, and updated mine as needed.

I have been experimenting with turning off SSLv3 support periodically over the past year. At one point in the sprint, GoogleBot stopped visiting my site as it required SSLv3 at the time. This apparently changed in June of this year to include TLSv1.0 at least.

Now that I’ve disabled SSLv3 support, I’m experimenting with logging the combination of ssl_protocol/ssl_cipher. So far after a few minutes, it is TLSv1.2/ECDHE-RSA-AES128-GCM-SHA256 for 100% of 9 requests logged. :-)

© Theodore Baschak - https://github.com/tbaschak - Powered by Jekyll.
Powered by Les.net.
CiscoDude.net is a personal website. Opinions expressed are not necessarily those of his employer.