Advisory: Disabling SSLv3 for POODLE

Padding Oracle On Downgraded Legacy Encryption (POODLE) was released with the CVE identifier of CVE-2014-3566. The vulnerability was found in SSL protocol 3.0.

SSL protocol 3.0 makes use of CBC-mode ciphers that allow for man-in-the-middle attacks using padding-oracle stacks. These attacks target the CBC ciphers to retrieve plain-text output from otherwise encrypted information.

In order to resolve this issue, SSLv3 must be disabled on the Webserver running FileCloud.

Disable SSLv3 for FileCloud on Windows

  1. Open c:\xampp\apache\conf\extra\httpd-ssl.conf
  2. Add the following line at the end of the file and save it

    SSLProtocol All -SSLv2 -SSLv3
  3. Restart the Webserver

Disable SSLv3 for FileCloud on Linux

  1. Open /etc/apache2/mods-available/ssl.conf for Ubuntu/Debian and /etc/httpd/conf.d/ssl.conf for CentOS
  2. Add the following line or modify any existing line with the following and save it 

    SSLProtocol All -SSLv2 -SSLv3

     

  3. Restart the Apache Webserver