Disable SSLv3 in Lighttpd to protect against POODLE attack

Protecting against the POODLE attack

The POODLE attack has entered the news a few times now. The issue behind the POODLE attack is serious, as it abuses a weakness in the protocol, not the implementation. This means the only proper fix is abandoning the SSLv3 protocol and use the newer TLS protocols.

Disable SSLv2 and SSLv3

Lighttpd commonly has its configuration settings stored in /etc/lighttpd/lighttpd.conf. Open this file and add the following two statements, to disable both protocols:

ssl.use-sslv2 = “disable”
ssl.use-sslv3 = “disable”

Now restart the http daemon, so the new settings are applied.

Testing SSLv3 support

If your system is available via the internet, you can use the great service of SSL labs. If not, you can test your local webserver if it support SSL version 3 with OpenSSL:

echo “GET /” | openssl s_client -connect localhost:443 -ssl3 2> /dev/null | grep Protocol

This command will send a HTTP command to retrieve the home page. It uses OpenSSL to create the HTTPS connection (port 443) and forces it to use SSLv3. If it succeeds, it will show the line “Protocol  : SSLv3”. In that case your server still support version 3 of the weak SSL protocol.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon