SSLv3 POODLE mitigation recommendations
In our previous post, we discussed POODLE and legacy SSLv3 clients.
The best solution to POODLE is to disable SSLv3.
However, SSLv3 often can’t be disabled because legacy clients only speak SSLv3.
F5’s security teams have done some investigation, and we believe that using the RC4 can be used as POODLE mitigation for those legacy clients. RC4 is a stream cipher and is not vulnerable to the POODLE attack.
RC4 does have a known weakness. After hundreds of millions of messages, an attacker could recover the plaintext.
POODLE can recover information after only tens of thousands of attacks.
So even though RC4 is not recommended as a cipher, it remains more secure to use in SSLv3 sessions than AES-CBC.
If you cannot disable SSLv3, you may enable RC4-SHA only for use in SSLv3 sessions until you are able to replace all the legacy clients.
To configure your virtual server to only allow SSLv3 RC4-SHA, use a cipher string like the following:
"default:-RC4:-SSLv3:SSLv3+RC4-SHA"
“Default” sets the default ciphers, “-RC4" removes any ciphers that contain RC4 (this is optional). "-SSLv3” removes any SSLv3 ciphers, but “SSLv3+RC4-SHA” re-enables only the RC4-SHA cipher from SSLv3. Any client connecting via SSL3 will be forced to use RC4 rather than a CBC cipher that is vulnerable to POODLE.
See SOL 13171 for information on setting your cipher string.
There are known attacks against RC4 that are better than brute-force. But given POODLE, RC4 is the most secure SSLv3 cipher.
It is still recommended to disable SSLv3 and RC4 once you are able to remove all legacy clients.
- Ian_124377NimbostratusI had one proposed solution. What about modifying client SSL profiles, and change the 'Cache Size' to a smaller value. This would require SSL renegotiation evey X requests. So, wouldn't that provide a better alternative to removing ciphers? This is just a thought. I would be interested in hearing others opinions on this.
- AKB_184311NimbostratusHi.. Guided by your article, I am using following setting in my Nginx: ssl_ciphers "AES128+EECDH:AES128+EDH:!aNULL:-RC4:-SSLv3:SSLv3+RC4-SHA"; SSLLabs testing shows though the clients which don't have support for TLS e.g. IE/WinXP do use RC4 on SSLv3 to get connected but even those clients which don't use SSLv3 but use TLS 1.0 (and not TLS v1.2) e.g. IE 8-10/Win 7, IE8/XP, all Android < 4.4 start using RC4. Without the "-RC4:-SSLv3:SSLv3+RC4-SHA" part in above setting, they use stronger ciphers.