Disable SSLv3 in Lighttpd to protect against POODLE attack

Disable SSLv3 in Lighttpd

Protecting against the POODLE attack

The POODLE attack has entered the news a few times now. The issue behind the POODLE attack is serious, as it abuses a weakness in the protocol, not the implementation. This means the only proper fix is abandoning the SSLv3 protocol and use the newer TLS protocols.

Disable SSLv2 and SSLv3

Lighttpd commonly has its configuration settings stored in /etc/lighttpd/lighttpd.conf. Open this file and add the following two statements, to disable both protocols:

ssl.use-sslv2 = “disable”
ssl.use-sslv3 = “disable”

Now restart the http daemon, so the new settings are applied.

Testing SSLv3 support

If your system is available via the internet, you can use the great service of SSL labs. If not, you can test your local webserver if it support SSL version 3 with OpenSSL:

echo “GET /” | openssl s_client -connect localhost:443 -ssl3 2> /dev/null | grep Protocol

This command will send a HTTP command to retrieve the home page. It uses OpenSSL to create the HTTPS connection (port 443) and forces it to use SSLv3. If it succeeds, it will show the line “Protocol¬† : SSLv3”. In that case your server still support version 3 of the weak SSL protocol.



Automate security audits with Lynis and Lynis Enterprise
Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series to get Linux (and Unix-based) systems more secure.

Daily security checks

Want to go to the next level of security scanning and system hardening? Start with automated security scans for Linux: Lynis and Lynis Enterprise.

Automate Scanning »

Leave a Reply

Your email address will not be published. Required fields are marked *