BGP.guru

BGP.guru

Nerd blog.

16 Oct 2014

SSLv3 Disabled

In response to the recent POODLE vulnerability in SSLv3, I have disabled SSLv3 support in anything of mine which speaks SSL/TLS. All connections are running TLSv1.0, TLSv1.1, or TLSv1.2 now. I have also reviewed the list of ciphers in the mozilla wiki, and updated mine as needed.

I have been experimenting with turning off SSLv3 support periodically over the past year. At one point in the sprint, GoogleBot stopped visiting my site as it required SSLv3 at the time. This apparently changed in June of this year to include TLSv1.0 at least.

Now that I’ve disabled SSLv3 support, I’m experimenting with logging the combination of ssl_protocol/ssl_cipher. So far after a few minutes, it is TLSv1.2/ECDHE-RSA-AES128-GCM-SHA256 for 100% of 9 requests logged. :-)

External References


Theodore Baschak - Theo is a network engineer with experience operating core internet technologies like HTTP, HTTPS and DNS. He has extensive experience running service provider networks with OSPF, MPLS, and BGP.