Disable SSLv3 (POODLE Vulnerability) on Nginx, Apache and IIS

RE: CVE-2014-3566.

How to Disable SSLv3

Nginx (Debian)

On Nginx configuration file /etc/nginx/nginx.conf:

server {
    listen 443;
    ssl on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;  

Restart Nginx.

# service nginx restart

Apache (Debian)

On Apache configuration file /etc/apache2/httpd.conf:

<VirtualHost *:443>
    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3

Restart Apache.

# service apache2 restart

Internet Information Services (IIS)

In Windows servers (2003 to 2012 R2) TLS/SSL protocols are controlled by flags in the registry. Open PowerShell as Administrator and run:

PS> & REG.EXE ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /v Enabled /t REG_DWORD /d 0 /f

Restart the Windows server.

You may want to disable SSLv2 too if using IIS 7.X:

PS> & REG.EXE ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /v Enabled /t REG_DWORD /d 0 /f

Leave a Reply

Your email address will not be published. Required fields are marked *