Advisory: Disabling SSLv3 for POODLE
Padding Oracle On Downgraded Legacy Encryption (POODLE) was released with the CVE identifier of CVE-2014-3566. The vulnerability was found in SSL protocol 3.0.
SSL protocol 3.0 makes use of CBC-mode ciphers that allow for man-in-the-middle attacks using padding-oracle stacks. These attacks target the CBC ciphers to retrieve plain-text output from otherwise encrypted information.
In order to resolve this issue, SSLv3 must be disabled on the Webserver running FileCloud.
Disable SSLv3 for FileCloud on Windows
- Open c:\xampp\apache\conf\extra\httpd-ssl.conf
Add the following line at the end of the file and save it
SSLProtocol All -SSLv2 -SSLv3
- Restart the Webserver
Disable SSLv3 for FileCloud on Linux
- Open /etc/apache2/mods-available/ssl.conf for Ubuntu/Debian and /etc/httpd/conf.d/ssl.conf for CentOS
Add the following line or modify any existing line with the following and save it
SSLProtocol All -SSLv2 -SSLv3
- Restart the Apache Webserver