Due to a critical security vulnerability with SSL 3.0 (an 18-year-old, outdated technology), we recommend disabling it on your server. We have instructions on how to do that in the Updating section but recommend reading the entire document to understand the scope of what this does.
In short, it's a way attackers can compromise SSL certificates if they're on the same network as the target if (and only if) the server the target is communicating with supports SSL 3.0.
Google has a lot more detail on their security blog here.
Because POODLE is a vulnerability in SSL technology, it only impacts sites using SSL certificates. If your server or your sites don't use an SSL certificate, you don't need to update your server. However, we recommend doing it now in case you do end up installing an SSL certificate at a later date.
How you update your server depends on whether your server uses a Linux® distribution or Windows® and if it uses cPanel.
cPanel requires slightly different steps from any other control panel/operating system configuration.
CentOS Version | Type this... |
---|---|
Cent OS/RHEL 6.x | SSLHonorCipherOrder On SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 |
Cent OS/RHEL 5.x | SSLHonorCipherOrder On SSLProtocol -All +TLSv1 |
Right now, only servers using RHEL can protect themselves against POODLE on non-HTTPS protocols. They can do this by updating the latest version of OpenSSL, and then implementing TLS_FALLBACK_SCSV.
Servers using CentOS do not yet have a known fix for the vulnerability on non-HTTPS protocols. However, we will update this article with those instructions as soon as we do.
Modify your Apache configuration to include the following line:
For more information on how to do that, view Apache's documentation.
Modify your server's registry (which removes access SSL 3.0 support from IIS) using Microsoft's document here. You can jump down to the Disable SSL 3.0 in Windows section.