Re: Lessons learned disabling SSLv3

[William Clarke <wclarke () SIMONS-ROCK EDU>]

Good afternoon Dan,

Although I'm fairly new to the world of implementing security policies I 
can at least share some things I've gathered so far. First, I would 
start using Qualys SSL Labs free test to check your overall grade which 
you can find here: https://www.ssllabs.com/ssltest/. As long as the 
outside world can access your server the online "free" test will 
complete and will provide some great suggestions. Most importantly the 
SSL cipher suite that you're using. We've found it very useful. The 
default ciphers even on new CentOS 7 releases should be locked down. By 
default SSLv3 is enabled which is vunerable to POODLE attacks and also 
uses weak ciphers for example RC4. I would suggest disabling SSLv3 and 
using a stronger suite of ciphers rather than disabling TLS1.0 
completely. The test will show you exactly how all clients will choose 
their connection so it may give you a better idea of client connections 
that will complete or fail.

My understanding is that Windows XP users might have an issue connecting 
to servers that have SSLv3 disabled but if they have the latest 
patches\service packs installed then IE does have an option to use 
TLS1.0. With that said, I don't think we heard from even one user that 
their XP \ IE6 machine couldn't connect after disabling SSLv3. In that 
event I would suggest to install FireFox or Google Chrome if your 
site\school supports it. I hope this helps.

Thanks,

William Clarke
ITS System Administrator
Bard College at Simon's Rock
84 Alford Road
Great Barrington, MA  01230
(413) 528-7428 (voice)
(413) 528-7405 (fax)
wclarke () simons-rock edu

On 3/24/2015 11:47 AM, Woodruff, Dan wrote:
> We are working to disable SSLv3 in favor of at least TLS1.0 (possibly 
> higher) on all web servers at the University. We have some concerns 
> about browser compatibility issues with the versions of TLS. All 
> modern browsers support at least TLSv1.0 so we anticipate that the 
> impact to our community will be low if we disabled only SSLv3. If we 
> disabled TLSv1.0 as well, it seems more browsers would have 
> compatibility issues. Source: 
> http://en.wikipedia.org/wiki/Transport_Layer_Security
>
> For systems that are managed by the University, we can make broad 
> configuration changes as needed, but we also have students and outside 
> parties with machines not under our control. I’m wondering if other 
> schools have gone through this effort to disable SSLv3 and/or TLSv1.0 
> and have any lessons learned or unexpected consequences they could share?
>
> Thanks in advance,
>
> Dan Woodruff
>
> University IT Security and Policy
>
> University of Rochester