Disable SSLv3 in Lighttpd to protect against POODLE attack

Disable SSLv3 in Lighttpd

Protecting against the POODLE attack

The POODLE attack has entered the news a few times now. The issue behind the POODLE attack is serious, as it abuses a weakness in the protocol, not the implementation. This means the only proper fix is abandoning the SSLv3 protocol and use the newer TLS protocols.

Disable SSLv2 and SSLv3

Lighttpd commonly has its configuration settings stored in /etc/lighttpd/lighttpd.conf. Open this file and add the following two statements, to disable both protocols:

ssl.use-sslv2 = “disable”
ssl.use-sslv3 = “disable”

Now restart the http daemon, so the new settings are applied.

Testing SSLv3 support

If your system is available via the internet, you can use the great service of SSL labs. If not, you can test your local webserver if it support SSL version 3 with OpenSSL:

echo “GET /” | openssl s_client -connect localhost:443 -ssl3 2> /dev/null | grep Protocol

This command will send a HTTP command to retrieve the home page. It uses OpenSSL to create the HTTPS connection (port 443) and forces it to use SSLv3. If it succeeds, it will show the line “Protocol¬† : SSLv3”. In that case your server still support version 3 of the weak SSL protocol.



One more thing...

Keep learning

So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.

See training package

Lynis Enterprise screenshot to help with system hardeningSecurity scanning with Lynis and Lynis Enterprise

Run automated security scans and increase your defenses. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.