apache poodle

Posted on Saturday April 30th, 2016

Today the work webserver was identified as being susceptable to CVE-2014-3566 comonly referred to as POODLE. It appears to be related to SSLv3.

With some reading and a chat with 'andre' online I was pointed at this website https://cipherli.st/ with details for ensuring apache and many other applications are configured securely. Milage may vary dependant upon versions installed ;)

Essentially I took to removing SSLv2 and SSLv3, employing the suggested ciphers and forcing their order. I take no credit for this - it's all on the page.

Basically, the httpd.conf SSL entries are updated to these:

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On