Theodore Baschak

Routing Guru. IPv6 Advocate. Operator of Hextet Systems (AS395089).

SSLv3 Disabled

Thu, 16 Oct 2014 09:29:53 -0500 » Security, SSL, Networking, Programming, System Administration, Network Monitoring » Estimated read time: 1 min

In response to the recent POODLE vulnerability in SSLv3, I have disabled SSLv3 support in anything of mine which speaks SSL/TLS. All connections are running TLSv1.0, TLSv1.1, or TLSv1.2 now. I have also reviewed the list of ciphers in the mozilla wiki, and updated mine as needed.

I have been experimenting with turning off SSLv3 support periodically over the past year. At one point in the sprint, GoogleBot stopped visiting my site as it required SSLv3 at the time. This apparently changed in June of this year to include TLSv1.0 at least.

Now that I’ve disabled SSLv3 support, I’m experimenting with logging the combination of ssl_protocol/ssl_cipher. So far after a few minutes, it is TLSv1.2/ECDHE-RSA-AES128-GCM-SHA256 for 100% of 9 requests logged. :-)