Mitigating POODLE

Question

First off, let me say that I'm a Windows admin trying to address a vulnerability in Linux, so please use small words.

I have a CentOS server that has been identified as being vulnerable to POODLE, so I found the POODLE wiki and verified that I am at a higher patch level than what is required. Now I need to find mitigation steps for the installed services.

I used "yum list installed" and checked through the list for software referenced in the wiki's mitigation steps. I found that I have:

httpd.x86_64 2.2.15-39.el6.centos
httpd-manual.noarch 2.2.15-39.el6.centos
httpd-tools.x86_64 2.2.15-39.el6.centos

Super. So I clicked the link to view httpd mitigation. The resolutions steps say I should modify either ssl.conf or nss.conf, but I don't have either of those files.

Now I'm stuck. I do not know the URL to the site(s) hosted on this server.

`grep -r SSLProtocol /etc/httpd/` will find httpd config files with the appropriate SSL settings in it - ssl.conf is the default but it may have been renamed. If not there, perhaps something other than httpd is listening - if you know what port it's on, use `netstat -tnlp` as root to see the PID of the process listening to that port. — gowenfawr, Sep 10 '15 at 17:50
Whomever notified you of the vulnerability should be able to tell you what sites on the server are vulnerable, or at least what port the vulnerable service(s) are running on. — Iszi, Sep 10 '15 at 18:52
An alternative option is to obtain (or compile yourself) a version of OpenSSL without SSLv3 support. I have no idea how best to do this on CentOS or I'd suggest it as an answer, but maybe somebody has a better idea of how viable this would be or what it would take and can turn it into an answer. — CBHacking, Sep 11 '15 at 07:46
The customer hired some security company to do a scan and this vulnerability came back, for this server. So I ran `grep -r SSLProtocol /etc/httpd/` and found that SSLProtocol only appears in "/etc/httpd/conf.d/unused/ssl.conf.bak:SSLProtocol all -SSLv2" and binary file "/etc/httpd/modules/mod_ssl.so". — StackExchangeGuy, Sep 11 '15 at 15:05

Alice Wonder Miscreations · Answer 1 · 2015-09-13T09:58:20.073

2

On CentOS 6

SSLProtocol all -SSLv2 -SSLv3

Needs to be in each virtual host that provides SSL support. Look for any file that has

SSLEngine on

and place the SSLProtocol directive after it.

I do not recommend replacing the OpenSSL on CentOS 6, too many applications use the vendor provided OpenSSL and it can get messy to try and have two different versions installed at once. The directive works, you just need to make sure it is in each virtualhost that enables SSL support.

edited Sep 13 '15 at 09:58

answered Sep 13 '15 at 09:45

Alice Wonder Miscreations

21
2

When I grep for "SSLEngine", I get back the same two results as when I look for SSLProtocol. I guess I don't understand how this particular server is vulnerable to POODLE. – StackExchangeGuy Sep 14 '15 at 13:12
You have to create the directive on every virtual host or older versions of Apache automatically include SSLv3 – Alice Wonder Miscreations Sep 30 '15 at 17:07

Mitigating POODLE

1 Answers1