vADC Docs

Disabling SSL v3.0 for SteelApp

by ebrandsberg on ‎10-15-2014 11:02 AM - edited on ‎06-01-2015 09:02 AM by PaulWallace (2,403 Views)

In October 2014, Google published details of a vulnerability in the SSL 3.0 protocol - named "POODLE" - which makes it possible for an attacker to decrypt messages between client and server in some circumstances. Because this is a problem with the protocol itself, rather than with a specific implementation of the protocol, this means that any client-server transaction which supports SSL 3.0 is at risk. Even if the client-server supports higher levels of security (such as TLS 1.2), it is possible for an attacker to force a downgrade to SSL 3.0 using a man-in-the-middle attack - which means that systems should disable SSL 3.0 to protect against this kind of attack, and use more recent security handshake protocols such as TLS.

 

How to Disable SSL 3.0 Completely

 

With SteelApp Traffic Manager, it is easy to disable SSL v3.0 completely from the system console. Navigate to System->Global settings->SSL Configuration, and you can control how SteelApp manages SSL transactions:

 

 

How to Trap SSL Requests:

 

So we can disable SSL 3.0 completely, but some browsers will show an unhelpful error message: ideally, we would provide some extra feedback to the user to show what the problem is, and how to resolve it. Attach this TrafficScript rule to your virtual server: if you leave SSL 3.0 enabled, this rule permits any transaction using TLS, but traps SSL requests and returns a custom error message to the user:

 

$cipher = ssl.clientCipher();  
if (string.len($cipher) > 0) {  
   if (string.contains($cipher, "version=TLS")) {  
      # this is the good case, incrementing the user SNMP counter  
      counter64.increment(1,1);  
      break;  
   } else {  
      # logic for the SSL (insecure) cases  
      counter64.increment(2,1); # increment a counter for bad cases  
      event.emit ("ssl request", "IP: ".request.getRemoteIP()." User-agent: ".http.getHeader("User-Agent"));  
      http.sendResponse( "400 Bad request", "text/plain",  
      "This service requires TLS security, and is using SSL security. \  
Please verify your SSL/TLS settings and try again", "" );  
   }  
}  

 

This TrafficScript rule will write an event message to the SteelApp log file, identifying the client IP and User Agent, and we also increment a user-defined counter to help track how often attempts are made to open an SSL transaction. These counters can be graphed on the SteelApp Activity Monitor, or retrieved remotely as user-defined SNMP variables, (use index 1 for good TLS requests, and index 2 for SSL requests that were rejected). The rule also raises a custom event named "ssl request" which can be used to trigger external actions if needed.

 

To test the script using Firefox, go to the "about:config" page, and change the value "security.tls.version.max" from the default of "3" to "0" This will force SSL 3.0 to be used instead of TLS. In newer versions of Firefox, you may also need to set "security.tls.version.min" to "0" - but don't forget to set these values back to a secure setting after testing.

 

Poodle icon designed by http://www.thenounproject.com/edward from the http://www.thenounproject.com.

Contributors