[UCI-Linux] Fwd: SSLv3 vulnerability

Mike Iglesias iglesias at uci.edu
Wed Oct 15 09:12:17 PDT 2014

For those of you not on the network-security-alerts mailing list...

-------- Original Message --------
Subject: SSLv3 vulnerability
Date: Wed, 15 Oct 2014 09:10:57 -0700
From: Mike Iglesias <iglesias at uci.edu>
To: network-security-alerts at uci.edu

A vulnerability (called "POODLE") has been found in SSLv3, which is used by
web servers and browsers to secure traffic between them.  The vulnerability
could allow traffic to be decrypted, exposing cookies, passwords, and other
private data.  Currently, SSLv3 is used by less than 1% of web traffic so it's
not widely used any more.

While this vulnerability is not as critical as the recent Heartbleed or
Shellshock vulnerabilities, we recommend that you turn off SSLv3 support in
your web servers.  Firefox v34, which will be released in late November, will
have SSLv3 support disabled.  Google will be disabling SSLv3 in Chrome soon as
well.  Anyone using Windows XP and IE6 will not be able to access your web
site if you turn off SSLv3 unless they enable TLS v1.0 in IE.  Windows XP is
no longer supported by Microsoft and anyone still using it should upgrade to
Windows Vista/7/8 and a more modern version of IE.

To turn off SSLv3 in Apache, look for the line in the configuration that has
"SSLProtocol" in it and make it look like this:

  SSLProtocol  all -SSLv2 -SSLv3

For IIS, follow the directions here:


For more information on the SSLv3 issue, see



Mozilla has some recommendations for web server configuration here:


Mike Iglesias                          Email:       iglesias at uci.edu
University of California, Irvine       phone:       949-824-6926
Office of Information Technology       FAX:         949-824-2270

More information about the UCI-Linux mailing list