POODLE Vulnerability and disabling SSLv3

15 Oct

Given the recently discovered POODLE vulnerability (http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploiting-ssl-30.html) I thought it might be useful to outline the steps taken to disable SSLv3.

You can use this website to check a public website to easily see if SSLv2 and SSLv3 are enabled: http://foundeo.com/products/iis-weak-ssl-ciphers/test.cfm?

You can also test your client here: https://www.howsmyssl.com/

poodle

(Logo from here)

The easier user guides to follow can be found here: https://blog.digicert.com/sslv3-vulnerability-poodle/

Specifically, the Windows/IIS registry change is:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000

(Reboot the server following the change)

To update your client machines using Group Policy, navigate to:

  • GPMC
  • User Configuration
  • Admin Templates
  • Windows Components
  • Internet Explorer
  • Internet Control Panel
  • Advanced Page

Set “Turn off Encryption Support” to “Use TLS 1.1 and TLS 1.2”:

turnoffencryption

 

FYI: Windows Server 2008 R2 supports TLS 1.1 and 1.2 but it is not enabled by default, you can use this registry change to enable it:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

(see here for details)

To disable TLS 1.0 you will need to add the following key:

Key: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server  
Value: Enabled  
Value type: REG_DWORD
Value Data: 0 

Reference: https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/