In response to the OpenSSL Poodle vulnerability should I disable SSLv3?

OpenSSL just announced another new vulnerability in it's memory routines. You can read all about it here: https://www.openssl.org/news/secadv_20141015.txt

The workaround is to disable SSLv3.

  • Will this disable HTTPS on our website completely?
  • What clients rely on SSLv3 still, should be be concerned about supporting them?

No, it will not break HTTPS connectivity to your website; TLSv1 (and newer versions, if your software is recent enough) is already being used instead by almost all browsers (with the notable exception of IE6 on Windows XP).

Verify in your configuration that TLSv1 is enabled, but it is by default in almost every server-side SSL configuration.


Yes, you should disable SSLv3. Poodle works because browsers will attempt to use older protocols such as SSLv3 if TLS fails. A MITM can abuse this (, unless the new TLS SCSV is supported by the client and server, which only Chrome supports atm.). For a really good writeup on the details of the Poodle attack see: https://security.stackexchange.com/q/70719

SSLv3 is broken in several ways, and the best way to deal with the problem is to disable it, since it was superseded by TLS 15 years ago. If you are using SSLv3 on a website, and you don't care about IE6 on XP (IE7 on XP is good), you should be safe to disable it.

The viability of disabling SSLv3 is being discussed on a related question: Poodle: Is disabling SSL V3 on server really a solution?

While you are at it, you might want to run a test on your site to see if there are any other problems: https://www.ssllabs.com/ssltest/