Mitigating Poodle / SSL 3.0 Issue

It was recently discovered that SSL 3.0 is vulnerable to a man-in-the-middle attack, a method dubbed “Poodle”. That’s part of CVE-2014-3566, which is described here:

The problem is within the SSL protocol itself, and thus, it is recommended that SSL 3.0 be disabled.

The following describes how to do that:


In RHEL/CentOS, edit /etc/httpd/conf.d/ssl.conf.

In Ubuntu/Debian, edit /etc/apache2/mods-enabled/ssl.conf.

Look for a line beginning with SSLProtocol, it should look something like this:

SSLProtocol all -SSLv2

You need to modify it to look like this:

SSLProtocol all -SSLv2 -SSLv3

And then restart Apache:

RHEL/CentOS: /etc/init.d/httpd restart

Ubuntu/Debian: /etc/init.d/apache2 restart


Webmin will correct this issue automatically in the future. In the meantime, to disable SSLv3, edit this file:


And add the following line to the end:


Then restart Webmin:

/etc/init.d/webmin restart


Edit this file:


And add the following line to the end:


Then restart Usermin:

/etc/init.d/usermin restart

Would the same procedure apply to Usermin as well?

On all of my CentOS 6 & 7 boxes, “SSLProtocol ALL -SSLv2” is also declared in the /etc/httpd/conf/httpd.conf file as well, it must be changed in this location as well.

Thanks for the heads up about this! While I didn’t notice that on our main Virtualmin server, I’ll review some other CentOS systems to see if that’s common.


Not declared in my httpd.conf running Virtualmin on CentOS Linux 5.11


I was wondering what could be done for Postfix and Dovecot SSL connections. I found this:

Discribing more or less what has been said here for Apache and adding some info for Postfix and Dovecot.

For Postfix, they mention 2 options related to the way you are running it, either “opportunistic SSL” or “mandatory SSL”, but because I mainly use Virtualmin to setup my servers, I have trouble understanding the relationship between these 2 modes and the virtualmin parameters. Could somebody give me some pointers about the parameters in virtualmin that make my Postfix SSL “opportunistic” or “mandatory” ?


There is a conflict going on with webmin and usermin and use only PCI secure protocols.

If you are using PCI protocols webmin uses the following:


Notice the +SSLv3 — if you change that to the required !SSLv3 you can’t connect to webmin or usermin.

Secure Connection Failed

An error occurred during a connection to Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)

How do you solve this issue ?

I found the solution to the PCI cyphers in usermin and webmin…

Set the follow in miniserv.conf


This makes the PCI scanning to pass

It sounds like there isn’t a good way to solve this problem by changing the ciphers in Webmin and Usermin (though I read your post after I posted this, and sounds like you may have gotten that very thing working!).

However, the "ssl_version=10 " setting mentioned above will effectively disable SSLv2 and SSLv3 in Webmin and Usermin. Will that do what you’re after?

There’s a Webmin bug report open that discusses that here:

hmm thats not pasting right

disable the SSLv3 --> !SSLv3

then add next to the first TLS --> :+TLSv1.1:+TLSv1.2

Eric you got google talk ? add me if you do – sgrayban

If I add the suggested ssl_cipher_list in my miniserv.conf for webmin I get:


so back to ssl_version=10.

That cypher list isn’t pasting right – it’s missing a couple cyphers

see for the right lines to add to miniserv

I dont have a SF account so I can’t add what PCI will require now

if anyone wants to contact me about the PCI issue add to your google talk

That line is in my http.conf as well. Do I need to add -SSLv3 ?

SSLProtocol ALL -SSLv2

This will remove poodle vulnerability risk for webmin and usermin.

ssl_protocols = !SSLv2 !SSLv3

The cipher and the protocol are distinct.

TLS1 for example can use SSLv3 cipher. For this reason it must be included is ssl_cipher_list to work correctly.

As for the protocols this explicitly denies SSLv3 and SSLv2.

I found a site that really helped getting everything secured with apache. I know this has been beaten to death but these cyphers and settings are what you need to pass PCI and secure against all the current hacks with apache…


SSLHonorCipherOrder on
SSLCompression Off
SSLProtocol all -SSLv2 -SSLv3

You can see the results by testing my billing server at

The only issue is the current cert was issued using SHA1 but that will not make the PCI scan fail but give you a warning that SHA1 certs will not be allowed after 2014.

I can’t get this to work on my CentOS 6 VirtualMin.

I have this on my /etc/webmin/miniserv.conf