TR-28 - The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, are vulnerable to a critical padding oracle attack - CVE-2014-3566

TR-28 - The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, are vulnerable to a critical padding oracle attack - CVE-2014-3566

Back to Publications and Presentations

  1. Overview
  2. Disambiguation of names and protocols
  3. How to Disable SSLv3?
  4. Apache HTTP server
  5. Nginx HTTP server
  6. Postfix SMTP server
  7. Microsoft IIS Internet Information Server
  8. Dovecot IMAP
  9. Synology NAS
  10. Firefox
  11. Thunderbird
  12. Internet Explorer
  13. Safari
  14. References
  15. Contact
  16. Classification of this document
  17. Revision

You can report incidents via our official contact including e-mail, phone or use the Anonymous reporting form.

Search


CIRCL is accredited TI CIRCL is FIRST member

Overview

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the “POODLE” issue. POODLE stands for “Padding Oracle On Downgraded Legacy Encryption”.

A recently discovered vulnerability shows that SSLv3 should not be used. The usage must be considered insecure. The majority of clients support recent versions of TLS. As there is no update available, the main recommendation is to completely disable SSLv3 support on your TLS/SSL servers and clients. Installations should only rely on recent versions of TLS.

Disambiguation of names and protocols

  • SSL is the name of a secure transport protocol suite. Secure Sockets Layer protocol, initially developed by Netscape in the years before 1995 to 1996. It is the predecessor of TLS
    • SSLv3 The last version of SSL defined in RFC 6101 (1996) before the transition to TLS.
  • TLS (Transport Layer Security) is the name of a secure transport protocol suite, developed within the framework of the IETF. TLS is the evolution of the SSL protocol and its successor.

Today, SSL and TLS are used synonymously, even if the vast majority of communication is already using TLS.

How to Disable SSLv3?

Apache HTTP server

To disable support for SSLv3 (and SSLv2) in Apache server, you have to add the following directive for each SSL/TLS section:

SSLProtocol All -SSLv2 -SSLv3

Then the Apache server needs to be restarted.

Nginx HTTP server

To disable support for SSLv3 (and SSLv2) in Nginx, you have to only list the supported protocols:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Then the Nginx needs to be restarted.

Postfix SMTP server

Postfix SMTP server can be configured to support SSL/TLS encryption. Mandatory version of the protocol can be enforced in the main.cf:

smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3

Don’t forget to reload the Postfix configuration (postfix reload).

Microsoft IIS Internet Information Server

To disable SSLv3 on Microsoft IIS you need to edit the registry:

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server

and set the following key

Enabled

to the value 0.

You will need to restart the server.

Dovecot IMAP

Update the local configuration of Dovecot IMAP to disable SSLv3:

ssl_protocols = !SSLv2 !SSLv3

and restart the server.

Synology NAS

Until now, there is no official recommendation from Synology. As the Synology DSM operating relies on Apache, you can this unofficial procedure to disable SSLv3.

Firefox

To disable SSLv3 in Firefox manually, you have to do the following:

  1. Open about:config in your browser
  2. Search for security.tls.version.min
  3. Right click > Modify
  4. Set the value to 1

This way you only accept TLSv1, TLSv1.1 and TLSv1.2.

SSLv3 will be disabled by default in Firefox 34, to be released the 25th of November 2014.

You can also install the folowing plugin from Mozilla: SSL Version Control, which is sadly not signed.

Thunderbird

To disable SSLv3 in Thunderbird, you have to do the following:

  1. Open the Preferences menu
  2. Click on the Advanced button
  3. Go on the General Tab
  4. Click on Config Editor
  5. Search for security.tls.version.min
  6. Right click > Modify
  7. Set the value to 1

Internet Explorer

To disable SSLv3 in Internet Explorer, you have to do the following:

  1. Open the Setting menu
  2. Go to Internet Options
  3. Click on the Advanced tab
  4. Search for SSLv3 and untick the box

Safari

Apple provides a security update 2014-005 for OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 fixing the vulnerability at system-wide level.

References

Contact

If you have any question about this vulnerability, feel free to contact us.

Classification of this document

TLP:WHITE information may be distributed without restriction, subject to copyright controls.

Revision

  • Version 1.3 - 17 October 2014 - Apple references added
  • Version 1.2 - 15 October 2014 - References updated
  • Version 1.1 - 15 October 2014 - Clients and servers updated
  • Version 1.0 - 15 October 2014 - TLP:WHITE