It was recently discovered that SSL 3.0 is vulnerable to a man-in-the-middle attack, a method dubbed “Poodle”. That’s part of CVE-2014-3566, which is described here:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566
The problem is within the SSL protocol itself, and thus, it is recommended that SSL 3.0 be disabled.
The following describes how to do that:
##Apache
In RHEL/CentOS, edit /etc/httpd/conf.d/ssl.conf
.
In Ubuntu/Debian, edit /etc/apache2/mods-enabled/ssl.conf
.
Look for a line beginning with SSLProtocol
, it should look something like this:
SSLProtocol all -SSLv2
You need to modify it to look like this:
SSLProtocol all -SSLv2 -SSLv3
And then restart Apache:
RHEL/CentOS: /etc/init.d/httpd restart
Ubuntu/Debian: /etc/init.d/apache2 restart
##Webmin/Virtualmin
Webmin will correct this issue automatically in the future. In the meantime, to disable SSLv3, edit this file:
/etc/webmin/miniserv.conf
And add the following line to the end:
ssl_version=10
Then restart Webmin:
/etc/init.d/webmin restart
##Usermin
Edit this file:
/etc/usermin/miniserv.conf
And add the following line to the end:
ssl_version=10
Then restart Usermin:
/etc/init.d/usermin restart