The POODLE weakness in the SSL protocol (CVE-2014-3566)
This document (7015773) is provided subject to the disclaimer at the end of this document.
SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Server 10
SUSE Linux Enterprise Server 9
SUSE Linux Enterprise Server 12
In short: The POODLE attack to the SSL 3.0 protocol, published last night (https://www.openssl.org/~bodo/ssl-poodle.pdf) requires server and desktop administrators and desktop users to carefully review their security protocol settings in packages such as HTTP Servers (such as Apache, Tomcat), SMTP Servers(such as Postfix), IMAP Servers, ... as well as Web browsers (Firefox, ...) and E-Mail Clients (Evolution, Thunderbird, ...).
More generally: everything which uses the SSL/TLS protocol, needs a review.
Check for and if needed, change the settings to work with TLS 1.0 as a minimum requirement (details below).
Fortunately, you do not have to install or update any package to mitigate the situation. In the future you may see updates to some packages, to help mitigating this on a lower level than the configuration alone.
Unfortunately, changing the settings on servers and clients can have significant side effects, if some part of your stack really requires the SSL 3.0 protocol. Carefully check your needs and those of your peers!
2. Settings for some well known packages
Firefox and Thunderbird
In older Firefox Browsers (before 23), there was a menu entry to disable SSLv3 (Preferences-Advanced-Encryption).
For more recent Firefox versions you need to use the detailed configuration. Go to "about:config", search for "security.tls.version.min" and change the value to "1" at least.
The default is "0", see:
The same steps are needed for Thunderbird.
Make sure your Apache configuration(s) contains:
"SSLProtocol all -SSLv2 -SSLv3"
Note: Run the following command to make sure that SSLv3 is disabled:
openssl s_client -connect localhost:443 -ssl3
Postfix SMTP Server
To enforce TLS for transport of SMTP connections, add this to your configuration:
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_enforce_tls = yes
Note, with "smtp_enforce_tls = yes" your postfix will not accept any
plaintext connections anymore.
If your email server supports the STARTTLS (http://en.wikipedia.org/wiki/STARTTLS) feature, we suggest you change configuration on Evolution email client from "SSL" to "TLS". This will force Evolution email client to use STARTTLS over plain SSL. SUSE is currently working on using TLS instead of SSLv3 when "SSL" is chosen in the configuration dialog, for mail servers not supporting STARTTLS. A respective patch will be available in the future.
To disable SSL edit the following file:
and change "NSSProtocol" to "TLSv1.0,TLSv1.1,TLSv1.2" and restart apache?
With SLE11SP3 (HA+SDK) we deliver lighttpd 1.4.20. This version of
lighhtpd does not allow to disable SSL. Please see the work-around
Cyrus-imap supports SSL and STARTTLS. The configuration needs to be
adjusted by setting:
If this does not work for your environment you can still use the below
Even is the protocol downgrade might be possible, it is still very
likely that the IMAP over SSL protocol is not vulnerable to this kind of
On SLE12 you can enable TLS up to TLS 1.2 by using
sslVersion = TLSv1 TLSv1.1 TLSv1.2
On SLE11 you can enable TLS up to TLS 1.1 by using the config option:
sslVersion = TLSv1 TLSv1.1
For earlier version you have to try:
options = NO_SSLv3
options = NO_SSLv2
SUSE Manager disables SSL by default and only uses TLS.
SMT uses TLS on the server site.
Both services use Nginx which is configured to not allow SSL but only
Your nginx configuration file should contain:
If you're running the OpenStack Horizon Dashboard with SSL, consider to change the chef template on your Admin server
SSLProtocol all -SSLv2 -SSLv3
Upload the cookbook by
knife cookbook upload nova_dashboard -o /opt/dell/chef/cookbooks/
and finally redeploy the "Horizon" Barclamp from the UI to make the change effective. Note this setting is supposed to be the default going forward.
The registration protocol uses SSL (libcurl) and allows SSL as fallback.
Updates for it will be published if appropriate. Is is very unlikely
that the registration process can be exploited using this vulnerability.
Patches distributed via our CDN provider are secure because SSL was
disabled and packages are signed in addition.
If your service does not support to disable SSL it is possible to use
HAproxy to handle the TLS connections and forward the traffic to the
After changing your configuration verify your new setup please.
POODLE stands for Padding Oracle On Downgraded Legacy Encryption. An attacker who acts as man-in-the-middle can force to downgrade the SSL/TLS protocol to version 3.0 if the attacked application supports this old SSL version. This legacy protocol is not secure. Depending on the applications, it may be possible for an adversary to mount attacks that can lead to disclosure of secret data such as passwords or HTTP cookies.
This attack is not limited to web-browsers, other services (like VPNs, mail clients, etc) use SSL to secure their traffic as well. Please evaluate your applications and configurations -- on all operating systems.
This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7015773
- Creation Date:15-OCT-14
- Modified Date:04-NOV-14
- SUSESUSE Linux Enterprise Server