SSLv3 is enabled

If you receive a warning that SSLv3 is enabled, disable SSLv3 to prevent the POODLE exploit.

Symptoms

You receive the following warning: SSLv3 is enabled.

Causes

SSLv3 contains a protocol vulnerability known as Padding Guardium® On Downgraded Legacy Encryption (POODLE). If SSLv3 is enabled on your system, this vulnerability allows attackers to force an SSL/TLS fallback to SSLv3, break the encryption, and intercept network traffic in plaintext. The vulnerability is detailed in the National Vulnerability Database as CVE-2014-3566.

Guardium recommends disabling SSLv3 on all systems to prevent the POODLE exploit, and SSLv3 is disabled by default on new Guardium systems. However, older systems and some upgrade scenarios may leave SSLv3 enabled.

This topic describes how to check the status of SSLv3 and disable it if necessary.

Attention: Disabling SSLv3 can disrupt connectivity between a Guardium v10 Central Manager and some managed units running Guardium v9 before GPU 500. If you have a mixed environment with managed units running Guardium v9 before GPU 500, either upgrade the managed units to GPU 500 or apply patch 9501 before disabling SSLv3.

Resolving the problem

  1. Verify the status of SSLv3 using the following CLI command: show sslv3.

    • If the output indicates SSL setting is disabled, SSLv3 is disabled. No additional steps are required to disable SSLv3.
    • If the output indicates SSL setting is enabled, SSLv3 is enabled. Continue with this procedure to disable SSLv3.
  2. Disable SSLv3 using the following CLI command: store sslv3 off. The command output should be similar to the following:

    Current SSL setting is enabled.  Will change to disabled.
    Restarting gui
    Changing to port 8443
    From port 8443
    Stopping.......
    ok
  3. Verify that SSLv3 is now disabled: show sslv3. The output should now indicate SSL setting is disabled.