Advisory: Disabling SSLv3 for POODLE

Padding Oracle On Downgraded Legacy Encryption (POODLE) was released with the CVE identifier of CVE-2014-3566. The vulnerability was found in SSL protocol 3.0.

SSL protocol 3.0 makes use of CBC-mode ciphers that allow for man-in-the-middle attacks using padding-oracle stacks. These attacks target the CBC ciphers to retrieve plain-text output from otherwise encrypted information.

In order to resolve this issue, SSLv3 must be disabled on the Webserver running FileCloud.

Disable SSLv3 for FileCloud on Windows

1. Open c:\xampp\apache\conf\extra\httpd-ssl.conf

2. Add the following line at the end of the file and save it

   SSLProtocol All -SSLv2 -SSLv3

3. Restart the Webserver

Disable SSLv3 for FileCloud on Linux

1. Open /etc/apache2/mods-available/ssl.conf for Ubuntu/Debian and /etc/httpd/conf.d/ssl.conf for CentOS

2. Add the following line or modify any existing line with the following and save it 

   SSLProtocol All -SSLv2 -SSLv3

    

3. Restart the Apache Webserver