POODLE

How to patch SSLv3 POODLE vulnerability (CVE-2014-3566) in different services.

Apache

/etc/apache2/mods-available/ssl.conf:
-------------------------------------
...
SSLProtocol all -SSLv2 -SSLv3

_$: apachectl configtest
Syntax OK
_$: service apache2 restart
 * Restarting web server apache2
 ... waiting                                   [ OK ]

Nginx

/etc/nginx/sites-enabled/domain:
--------------------------------
...
# HTTPS
server {
        server_name  www.domain.com;
        listen       443 ssl;
        return 301   http://www.domain.com$request_uri;

        # SSL
        ssl_certificate            /etc/nginx/ssl/server.crt;
        ssl_certificate_key        /etc/nginx/ssl/server.key;
        ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers                RC4:HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;
}

_$: nginx -t
_$: service nginx restart

IIS

Source: https://www.digicert.com/ssl-support/iis-disabling-ssl-v3.htm

Open the Registry Editor and run it as administrator.

For example, in Windows 2012:

On the Start screen type regedit.exe.
Right-click on regedit.exe and click Run as administrator.

In the Registry Editor window, go to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\

In the navigation tree, right-click on Protocols, and in the pop-up menu, click New > Key. Name the key, SSL 3.0.

In the navigation tree, right-click on the new SSL 3.0 key that you just created, and in the pop-up menu, click New > Key. Name the key, Client.

In the navigation tree, right-click on the new SSL 3.0 key again, and in the pop-up menu, click New > Key. Name the key, Server.

In the navigation tree, under SSL 3.0, right-click on Client, and in the pop-up menu, click New > DWORD (32-bit) Value. Name the value DisabledByDefault.

In the navigation tree, under SSL 3.0, select Client and then, in the right pane, double-click the DisabledByDefault DWORD value.

In the Edit DWORD (32-bit) Value window, in the Value Data box change the value to 1 and then, click OK.

In the navigation tree, under SSL 3.0, right-click on Server, and in the pop-up menu, click New > DWORD (32-bit) Value. Name the value Enabled.

In the navigation tree, under SSL 3.0, select Server and then, in the right pane, double-click the Enabled DWORD value.

In the Edit DWORD (32-bit) Value window, in the Value Data box leave the value at 0 and then, click OK.

Restart your Windows server.

You have successfully disabled the SSL v3 protocol.

Dovecot

/etc/dovecot/conf.d/10-ssl.conf:
--------------------------------
...
# SSL ciphers to use
ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL

_$: service dovecot restart

Test

If there is more than one domain in the same server, check which one appears when you visit http:// and check that domain.

_$: nmap --script ssl-enum-ciphers -p 443 www.domain.com
Nmap scan report for 192.168.1.211
Host is up (0.00069s latency).
PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     compressors:
|       NULL
|_  least strength: strong

There is no sign of SSLv3: Ok.

_$: nmap --script ssl-enum-ciphers -p443,993,995 mail.domain.com
443/tcp open  https
| ssl-enum-ciphers:
|   SSLv3: No supported ciphers found
|   TLSv1.0:
|     ciphers:
|       ...
|     compressors:
|       NULL
|   TLSv1.1:
|     ciphers:
|       ...
|     compressors:
|       NULL
|   TLSv1.2:
|     ciphers:
|       ...
|     compressors:
|       NULL
|_  least strength: strong

There is sign of SSLv3, but it says: No supported ciphers found: Ok.