SSLv3 is enabled
If you receive a warning that SSLv3 is enabled
, disable SSLv3 to prevent
the POODLE exploit.
Symptoms
You receive the following warning:SSLv3 is enabled
. Causes
SSLv3 contains a protocol vulnerability known as Padding Guardium® On Downgraded Legacy Encryption (POODLE). If SSLv3 is enabled on your system, this vulnerability allows attackers to force an SSL/TLS fallback to SSLv3, break the encryption, and intercept network traffic in plaintext. The vulnerability is detailed in the National Vulnerability Database as CVE-2014-3566.
Guardium recommends disabling SSLv3 on all systems to prevent the POODLE exploit, and SSLv3 is disabled by default on new Guardium systems. However, older systems and some upgrade scenarios may leave SSLv3 enabled.
This topic describes how to check the status of SSLv3 and disable it if necessary.
Resolving the problem
-
Verify the status of SSLv3 using the following CLI command:
show sslv3
.- If the output indicates
SSL setting is disabled
, SSLv3 is disabled. No additional steps are required to disable SSLv3. - If the output indicates
SSL setting is enabled
, SSLv3 is enabled. Continue with this procedure to disable SSLv3.
- If the output indicates
-
Disable SSLv3 using the following CLI command:
store sslv3 off
. The command output should be similar to the following:Current SSL setting is enabled. Will change to disabled. Restarting gui Changing to port 8443 From port 8443 Stopping....... ok
-
Verify that SSLv3 is now disabled:
show sslv3
. The output should now indicateSSL setting is disabled
.