How to mitigate POODLE but keep SSLv3 support for old clients

How do I mitigate the POODLE attack, but still keep support for old clients such as IE6 on Windows XP or an e-mail client.

I've noticed that google does this: https://www.ssllabs.com/ssltest/analyze.html?d=mail.google.com

I'm using nginx and openssl.

In addition I want to keep Forward Secrecy with modern/most browsers. I want to keep my A-rating on ssllabs.


Solution 1:

As google writes on this blog entry http://googleonlinesecurity.blogspot.se/2014/10/this-poodle-bites-exploiting-ssl-30.html there is three ways of mitigating POODLE:

  • Disable SSL 3.0 support
  • Disable CBC-mode ciphers with SSL 3.0
  • Support TLS_FALLBACK_SCSV

The first two options breaks compatibility with old clients such as IE6 on XP. TLS_FALLBACK_SCSV depends on the browser supporting it, which at the moment only Chrome does, but Firefox will too soon. TLS_FALLBACK_SCSV requires the newly released OpenSSL 1.0.1j.

If possible you should disable SSL 3 support, but if you need to keep it around, this is how you can mitigate it, if you have OpenSSL 1.0.1j and nginx:

ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!CAMELLIA;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

This configuration of ciphers will provide forward secrecy in most browsers and mitigate POODLE+BEAST server side. It works by prioritizing RC4 over AES when faced with a SSL 3 or TLS 1.0 browser, thus avoiding the CBC mode. Browsers that are running TLS 1.1+ don't use RC4, which is not as secure as we'd like.

It currently gives an A rating on ssllabs, example of this in action: https://www.ssllabs.com/ssltest/analyze.html?d=s.nimta.com