Disable SSLv3 in Lighttpd to protect against POODLE attack

Disable SSLv3 in Lighttpd

Protecting against the POODLE attack

The POODLE attack has entered the news a few times now. The issue behind the POODLE attack is serious, as it abuses a weakness in the protocol, not the implementation. This means the only proper fix is abandoning the SSLv3 protocol and use the newer TLS protocols.

Disable SSLv2 and SSLv3

Lighttpd commonly has its configuration settings stored in /etc/lighttpd/lighttpd.conf. Open this file and add the following two statements, to disable both protocols:

ssl.use-sslv2 = “disable”
ssl.use-sslv3 = “disable”

Now restart the http daemon, so the new settings are applied.

Testing SSLv3 support

If your system is available via the internet, you can use the great service of SSL labs. If not, you can test your local webserver if it support SSL version 3 with OpenSSL:

echo “GET /” | openssl s_client -connect localhost:443 -ssl3 2> /dev/null | grep Protocol

This command will send a HTTP command to retrieve the home page. It uses OpenSSL to create the HTTPS connection (port 443) and forces it to use SSLv3. If it succeeds, it will show the line “Protocol  : SSLv3”. In that case your server still support version 3 of the weak SSL protocol.

 

 

Lynis Enterprise

Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series and the mission to get Linux and Unix-based systems more secure.

Does system hardening take a lot of time, or do you have any compliance in your company? Have a look at Lynis Enterprise.

Or start today with the open source security scanner Lynis (GitHub)


Leave a Reply

Your email address will not be published. Required fields are marked *