HOWTO: Disabling SSLv3 for CVE­-2014­-3566 ("POODLE")

Expand / Collapse

This article applies to:

  • NAC 4.0.6 and below
  • NAC CM 4.1.x
  • Note: This issue has been resolved for releases 4.0.7 and 4.2 and greater.


  • How can I disable SSLv3 to remove the vulnerability CVE­-2014­-3566 (known as "POODLE")


This vulnerability exposes a flaw in SSLv3, used for HTTPS communication to web sites. To remove this vulnerability on Trustwave NAC Appliances you must disable SSLv3. This article provides the instructions to fully disable this service on a currently installed system.

Disabling SSLv3 will also disable the support for IE6.

  • Note: This issue has been resolved for releases 4.0.7 and 4.2 and greater.

Patch the CM

In order to turn off SSLv3 edit the file  /etc/httpd/conf.d/httpd-ssl.conf

Change the line:

    [~]# SSLProtocol all -SSLv2


    [~]# SSLProtocol all -SSLv2 -SSLv3

Then restart httpd

    [~]# service httpd restart

If you have not set up a portal yet.

If you have not set up a portal yet or might create a new portal, on each Sensor in your deployment you should also edit the file /usr/dist/config/httpd/conf.d/template_head.conf

Changing this file will ensure that all new portals turn off SSLv3.

Change the following line:

     # SSLProtocol all -SSLv2


     # SSLProtocol all -SSLv2 -SSLv3

Trustwave recommends that you change this file even if you have already created a portal. This will ensure that if a portal is recreated you will not introduce this issue.

Test the service

To test if the http server answers SSLv3 queries you can use the following command (replace the IP address with the address of the system you are connecting to):

# openssl s_client -connect -ssl3 

If you run this command on a NAC system where SSLv3 has been disabled this is an example of the command output:

# openssl s_client -connect -ssl3
17331:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1052:SSL alert number 40
17331:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:529:


For comparison, this is an example of a successful SSLv3 command output:

# openssl s_client -connect -ssl3
depth=0 /C=US/ST=Texas/L=Austin/O=Trustwave/OU=IT/CN=cm.tw.com/emailAddress=nacsupport@trustwave.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=Texas/L=Austin/O=Trustwave/OU=IT/CN=cm.tw.com/emailAddress=nacsupport@trustwave.com
verify return:1
Certificate chain
0 s:/C=US/ST=Texas/L=Austin/O=Trustwave/OU=IT/CN=cm.tw.com/emailAddress=nacsupport@trustwave.com
Server certificate
No client certificate CA names sent
SSL handshake has read 1094 bytes and written 308 bytes ---
New, TLSv1/SSLv3, Cipher is EXP1024-RC4-SHA
Server public key is 1024 bit
Protocol : SSLv3
Cipher : EXP1024-RC4-SHA
Session-ID: ...
Master-Key: ...
Key-Arg : None
Krb5 Principal: None
Start Time: 1413357374
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)


  • If you encounter any issues that are not included in these instructions, please contact Trustwave Support. Be prepared to state the Trustwave NAC Version, and to provide evidence of the testing done and data gathered.

To contact Trustwave about this article or to request support:

Rate this Article:

Add Your Comments

Comment submission is disabled for anonymous users.
Please send feedback to Trustwave Technical Support or the Webmaster