There’s a new POODLE in town, but unfortunately it’s not the kind of pooch you want around. POODLE stands for Padding Oracle On Downgraded Legacy Encryption. It’s an exploit that, although not considered to be as serious as Heartbleed, is one that should still be protected against. For more information read the Google Blog.
Apache Web Server
To disable SSLv3 on the Apache web server, you will have to adjust the SSLProtocol
directive provided by the mod_ssl
module.
This directive can be set either at the server level or in a virtual host configuration. Depending on your distribution's Apache configuration, the SSL configuration may be located in a separate file that is sourced.
On Ubuntu, the server-wide specification for servers can be adjusted by editing the /etc/apache2/mods-available/ssl.conf
file. If mod_ssl
is enabled, a symbolic link will connect this file to the mods-enabled
subdirectory:
sudo nano /etc/apache2/mods-available/ssl.conf
On CentOS, you can can adjust this in the SSL configuration file located here (if SSL is enabled):
sudo nano /etc/httpd/conf.d/ssl.conf
Inside you can find the SSLProtocol
directive. If this is not available, create it. Modify this to explicitly remove support for SSLv3:
SSLProtocol all -SSLv3 -SSLv2
Save and close the file. Restart the service to enable your changes.
On Ubuntu, you can type:
sudo service apache2 restart
On CentOS, this would be:
sudo service httpd restart
cPanel/WHM
Fortunately, protecting your WHM/cPanel server is easy. Just follow the steps below:
Login to WHM, open up the Apache Configuration screen, and click on Include Editor