For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

SSLv3 POODLE mitigation recommendations

In our previous post, we discussed POODLE and legacy SSLv3 clients. The best solution to POODLE is to disable SSLv3. However, SSLv3 often can’t be disabled because legacy clients only speak SSLv3....
Published Oct 24, 2014
Version 1.0
security
AKB_184311's avatar
AKB_184311
Icon for Nimbostratus rankNimbostratus
Jan 27, 2015
Hi.. Guided by your article, I am using following setting in my Nginx: ssl_ciphers "AES128+EECDH:AES128+EDH:!aNULL:-RC4:-SSLv3:SSLv3+RC4-SHA"; SSLLabs testing shows though the clients which don't have support for TLS e.g. IE/WinXP do use RC4 on SSLv3 to get connected but even those clients which don't use SSLv3 but use TLS 1.0 (and not TLS v1.2) e.g. IE 8-10/Win 7, IE8/XP, all Android < 4.4 start using RC4. Without the "-RC4:-SSLv3:SSLv3+RC4-SHA" part in above setting, they use stronger ciphers.