Introduction

In this section, Poste Italiane’s CERT provides useful information for the correct use and configuration of the SSL v.3 protocol both client side and server side. SSL – Secure Sockets Layer – and its successor TLS – Transport Layer Security – are cryptographic protocols designed to provide security for Internet communications. Their greater use is known for web browsing (HTTPS), but they are also used for many other purposes.

SSL Version 1 has never been released publicly and Version 2 was profoundly insecure. So it came to version 3 of the SSL, which, together with the latest TLS versions 1 / 1.1 / 1.2, are the protocols currently used to ensure the security of our most important communications over the Internet.

As happened to SSLv2, Google engineers discovered a flaw in SSLv3 (with a technique known as POODLE) that makes it inadequate and useless. There is a patch but it does not completely resolve the problem because it only works if both connection endpoints are properly configured.

With regard to the many security issues related to the secure connection channel, clients and servers should disable SSL v3 as soon as possible. Specifically, the HTTPS secure channel should only work with TLS v1.0 and TLS v1.2 versions.

APPLICATIONS

SSL protocol is used in many applications. In particular it is used in:

  • Browser (Internet Explorer, Firefox, Chrome, Safari, Opera);
  • Web Server (Apache, IIS, Nginx, Lighttpd);
  • Mail Server (SendMail, Postfix, Courier-imap);
  • Other (OpenVPN, Java, HAProxy, Node.js).

DISABLING SSLV3 – BROWSER

Internet Explorer:

To disable SSLv3 in Microsoft Internet Explorer, follow these steps:

  • Open Internet Options from Internet Explorer;
  • Select the Advanced tab Advanced;
  • Locate the Security section and deselect Use SSL 3.0;
  • Confirm the configuration by clicking OK.

If you have an obsolete version of Windows, such as Windows XP, make sure it is at least updated with Service Pack 3 (SP3) to access sites that do not provide SSLv3.

Firefox:

From version 34 of Mozilla Firefox SSLv3 is disabled by default, for earlier versions, do the following:

  • In the address bar, type: about:config and then send;
  • Set the value of the security.tls.version.min parameter to 1.

Chrome:
Google Chrome in new versions (date of the announcement still unrecognized) will have SSLv3 disabled by default. While waiting to be released, to disable SSLv3, you can run the browser from the command line with the –ssl-version-min=tls1 parameter. In relation to the operating system you are using, for a desktop connection, proceed as follows:

Windows:

  • On the right Desktop on the Google Chrome shortcut, select Properties;
  • In Destination, after the last character (double apex), add a space followed by:
    –ssl-version-min=tls1;
  • Click OK and confirm (enter administrator credentials if required).

NB. Also to intervene on any instance of the browser launched through links received by email or present in documents, etc. you need to intervene on the Windows configuration log. Specifically, in the HKEY_CLASSES_ROOT key, you need to change the value of the ChromeHTML/shell/open/command sub key with the following:

“C:\Program Files\Google\Chrome\Application\chrome.exe” –ssl-version-min=tls1 — “%1″
(check the path of the chrome.exe file for your system)

ssl3_1
Linux:

For Linux, the change varies depending on the distribution chosen. As for Ubuntu, do the following:

  • Edit the /usr/share/applications/google-chrome.desktop file
  • Locate all the rows that begin with: Exec=
  • Add the string –ssl-version-min=tls1

Eg the row: Exec=/usr/bin/google-chrome-stable %U
becomes: Exec=/usr/bin/google-chrome-stable –ssl-version-min=tls1 %U

Mac OS X:

With the AppleScript editor (available in /Applications/Utilities/), type:

do shell script “open ‘/Applications/Google Chrome.app’ –args –ssl-version-min=tls1″
(check the path of the Google Chrome.app file for your system)

save the file as Application (in File Format) and add the application to the Dock.

Safari:

For Apple’s browser, just apply Security Update 2014-005, available at http://support.apple.com/kb/HT6531. The update is available for Mac OS Mavericks, Mountain Lion, and Yosemite. The issue has been resolved by disabling the CBC encryption functionality used by attackers when TLS connection attempts fail.

Opera:

SSLv3 is disabled by version 12 by default. For versions of Opera 12.17 or earlier, do the following:

  • Select CTRL + F12
  • Select the (tab) Advanced tab
  • Click Security on the left menu
  • Click Security Protocols
  • Uncheck SSL Enable 3
  • Click OK