SSL 3.0 is nearly 18 years old, and was seen as relatively secure until yesterday when a vulnerability was found in the protocol. POODLE (Padding Oracle On Downgraded Legacy Encryption) is a vulnerability allowing a man-in-the-middle attacker to cause connection failures, then triggering the use of SSL 3.0 for exploitation.
To address this issue, HostDime is adjusting SSL on our shared and reseller servers by disabling SSL 2.0 and SSL 3.0, as well as ensuring only secure ciphers are allowed. Please be aware this will cause some compatibility issues for older browsers, such as Internet Explorer 6.
If you are a managed VPS, dedicated, or colocation client, contact us and we can reconfigure your server. If your server is basic management or would like to handle this yourself quickly, add the following to the premain include in Apache (/usr/local/apache/conf/includes/pre_main_global.conf) to disable SSLv2 and SSLv3 and honor cipher order:
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH:!AECDH
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
Then Restart Apache:
/etc/init.d/httpd restart
[divider]
HostDime.com, Inc is a global data center infrastructure provider offering an array of cloud products from managed hosting servers to colocation services that cater to a range of clients, from entry-level to enterprise-level operations. HostDime owns and operates infrastructure and networks in seven countries, with its flagship facility in Florida, USA. Currently with a client base of more than 50,000 clients globally across 6 globally dispersed networks, HostDime is one of the most reputable data center companies in the world.
Jared Smith is HostDime’s Content Strategist. Follow him on Twitter.
Major browser vendors including Mozilla and Google have announced that they are to deactivate the SSL 3.0 in their upcoming versions.