Disable SSLv3 in Lighttpd to protect against POODLE attack
Protecting against the POODLE attack
The POODLE attack has entered the news a few times now. The issue behind the POODLE attack is serious, as it abuses a weakness in the protocol, not the implementation. This means the only proper fix is abandoning the SSLv3 protocol and use the newer TLS protocols.
Disable SSLv2 and SSLv3
Lighttpd commonly has its configuration settings stored in /etc/lighttpd/lighttpd.conf. Open this file and add the following two statements, to disable both protocols:
ssl.use-sslv2 = “disable”
ssl.use-sslv3 = “disable”
Now restart the http daemon, so the new settings are applied.
Testing SSLv3 support
If your system is available via the internet, you can use the great service of SSL labs. If not, you can test your local webserver if it support SSL version 3 with OpenSSL:
echo “GET /” | openssl s_client -connect localhost:443 -ssl3 2> /dev/null | grep Protocol
This command will send a HTTP command to retrieve the home page. It uses OpenSSL to create the HTTPS connection (port 443) and forces it to use SSLv3. If it succeeds, it will show the line “Protocol : SSLv3”. In that case your server still support version 3 of the weak SSL protocol.