Connect with us at the Gartner® Security & Risk Management Summit June 9-11. Learn More

Connect with us at the Gartner® Security & Risk Management Summit June 9-11. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Microsoft Security
Unlock the full power of Microsoft Security
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Loading...
Loading...

HOWTO: Disabling SSLv3 for CVE­-2014­-3566 ("POODLE")

Expand / Collapse


This article applies to:

  • NAC 4.0.6 and below
  • NAC CM 4.1.x
  • Note: This issue has been resolved for releases 4.0.7 and 4.2 and greater.

Question:

  • How can I disable SSLv3 to remove the vulnerability CVE­-2014­-3566 (known as "POODLE")

Answer:

This vulnerability exposes a flaw in SSLv3, used for HTTPS communication to web sites. To remove this vulnerability on Trustwave NAC Appliances you must disable SSLv3. This article provides the instructions to fully disable this service on a currently installed system.

Disabling SSLv3 will also disable the support for IE6.

  • Note: This issue has been resolved for releases 4.0.7 and 4.2 and greater.

Patch the CM

In order to turn off SSLv3 edit the file  /etc/httpd/conf.d/httpd-ssl.conf

Change the line:

    [~]# SSLProtocol all -SSLv2

To:

    [~]# SSLProtocol all -SSLv2 -SSLv3

Then restart httpd

    [~]# service httpd restart

If you have not set up a portal yet.

If you have not set up a portal yet or might create a new portal, on each Sensor in your deployment you should also edit the file /usr/dist/config/httpd/conf.d/template_head.conf

Changing this file will ensure that all new portals turn off SSLv3.

Change the following line:


     # SSLProtocol all -SSLv2

To:

     # SSLProtocol all -SSLv2 -SSLv3

Trustwave recommends that you change this file even if you have already created a portal. This will ensure that if a portal is recreated you will not introduce this issue.

Test the service

To test if the http server answers SSLv3 queries you can use the following command (replace the IP address with the address of the system you are connecting to):

# openssl s_client -connect 10.50.9.218:443 -ssl3 

If you run this command on a NAC system where SSLv3 has been disabled this is an example of the command output:

# openssl s_client -connect 70.113.205.58:443 -ssl3
CONNECTED(00000003)
17331:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1052:SSL alert number 40
17331:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:529:
#

 

For comparison, this is an example of a successful SSLv3 command output:


# openssl s_client -connect 10.50.9.218:443 -ssl3
CONNECTED(00000003)
depth=0 /C=US/ST=Texas/L=Austin/O=Trustwave/OU=IT/CN=cm.tw.com/emailAddress=nacsupport@trustwave.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=Texas/L=Austin/O=Trustwave/OU=IT/CN=cm.tw.com/emailAddress=nacsupport@trustwave.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=Texas/L=Austin/O=Trustwave/OU=IT/CN=cm.tw.com/emailAddress=nacsupport@trustwave.com
i:/C=US/ST=Texas/L=Austin/O=Trustwave/OU=IT/CN=cm.tw.com/emailAddress=nacsupport@trustwave.com
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/C=US/ST=Texas/L=Austin/O=Trustwave/OU=IT/CN=cm.tw.com/emailAddress=nacsupport@trustwave.com
issuer=/C=US/ST=Texas/L=Austin/O=Trustwave/OU=IT/CN=cm.tw.com/emailAddress=nacsupport@trustwave.com
---
No client certificate CA names sent
---
SSL handshake has read 1094 bytes and written 308 bytes ---
New, TLSv1/SSLv3, Cipher is EXP1024-RC4-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : SSLv3
Cipher : EXP1024-RC4-SHA
Session-ID: ...
Session-ID-ctx:
Master-Key: ...
Key-Arg : None
Krb5 Principal: None
Start Time: 1413357374
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)

Notes:

  • If you encounter any issues that are not included in these instructions, please contact Trustwave Support. Be prepared to state the Trustwave NAC Version, and to provide evidence of the testing done and data gathered.


To contact Trustwave about this article or to request support:


Rate this Article:
     

Add Your Comments


Comment submission is disabled for anonymous users.
Please send feedback to Trustwave Technical Support or the Webmaster
.