In October 2014, Google engineers reported a critical vulnerability in SSL v3.0 that had obtained a funny codename POODLE (Padding Oracle On Downgraded Legacy Encryption). This vulnerability allows a hacker to get access to the information encrypted with SSLv3 using a “man in the middle” attack. Vulnerability affects both the server and the clients that can connect over SSL v3 protocol.
In general, it is not surprising, since SSL 3.0, firstly announced in 1996, is 18 years old and has become obsolescent. In the majority of practical tasks it has been substituted with the cryptographic protocol TLS (versions 1.0, 1.1 and 1.2).
To protect from POODLE vulnerability, it is recommended to completely disable SSLv3 support both client-side and server-side and use only TLS. For the users of the outdated software (for example, those using IIS 6 on Windows XP) it means that they won’t be able to view HTTPS pages and use other SSL services. If SSLv3 support is not disabled completely, and more powerful encryption is used by default, POODLE vulnerability will still take place. It depends on the peculiarities of selecting and adjustment of encryption protocol between the client and the server, since if any faults are detected in TLS, the automatic switch to SSL occurs.
It is recommended to check all services that can use SSL/TLS in any form and disable SSlv3 support. You can take an online test to check if you web server and web apps is subject to this vulnerability here http://poodlebleed.com/.
How to Disable SSLv3 in Windows at System Level
In OS Windows, SSL/TLS support is managed from the registry.
In this example, we’ll show how to completely disable SSLv3 (both client-side and server-side) in Windows Server 2012 R2 at the system level:
- Open the Registry Editor with the administrator privileges
- Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\
- Create a new key with the name SSL 3.0 ( New -> Key)
- In the newly created SSL 3.0 key create two sub keys with the names Client and Server.
- Then in the Client section create a new DWORD (32-bit) value with the name DisabledByDefault
- Specify 1 as the value of DisabledByDefault.
- Then in the Client key create a new DWORD (32-bit) with the name Enabled and the value 0.
- For the changes come into effect, restart your Windows server.
How to Disable SSLv2 (Windows 2008 / Server and earlier)
The OS versions earlier than Windows 7 / Windows Server 2008 R2 use even less secure and even older protocol SSL v2, which should also be disabled for security reasons (in later Windows versions SSLv2 on the client side is disabled by default, and only SSLv3 and TLS1.0 are used). To disable SSLv2, you have to do the same things as described above for the registry key SSL 2.0.
In Windows 2008 / 2012 SSLv2 on the client side is disabled by default.
How to Enable TLS 1.1 and TLS 1.2 in Windows Server 2008 R2 or later
Windows Server 2008 R2 / Windows 7 and later versions support TLS 1.1 and TLS 1.2 encryption algorithms, but these protocols are disabled by default. You can enable TLS 1.1 and TLS 1.2 support in this versions Windows using a similar scenario.
- In the Registry Editor open HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
- Create two keys: TLS 1.1 and TLS 1.2
- In each keys create two sub keyswith the names Client and Server
- In each of the ssections Client and Server create a DWORD (32-bit) Value:
- DisabledByDefault with the value 0
- Enabled with the value 1
- After the changes have been made, restart the server.
A Tool to Manage System Cryptographic Protocols in Windows Server
There is a free tool IIS Crypto, that allows to conveniently manage the parameters of cryptographic protocols in Windows Server 2003, 2008 and 2012. With this tool, you can enable or disable any of the protocols in a few clicks.
The program has several templates that allow to quickly apply presets for different variants of security settings.