Educause Security Discussion mailing list archives
Re: Lessons learned disabling SSLv3
From: William Clarke <wclarke () SIMONS-ROCK EDU>
Date: Tue, 24 Mar 2015 12:57:32 -0400
Good afternoon Dan,Although I'm fairly new to the world of implementing security policies I can at least share some things I've gathered so far. First, I would start using Qualys SSL Labs free test to check your overall grade which you can find here: https://www.ssllabs.com/ssltest/. As long as the outside world can access your server the online "free" test will complete and will provide some great suggestions. Most importantly the SSL cipher suite that you're using. We've found it very useful. The default ciphers even on new CentOS 7 releases should be locked down. By default SSLv3 is enabled which is vunerable to POODLE attacks and also uses weak ciphers for example RC4. I would suggest disabling SSLv3 and using a stronger suite of ciphers rather than disabling TLS1.0 completely. The test will show you exactly how all clients will choose their connection so it may give you a better idea of client connections that will complete or fail.
My understanding is that Windows XP users might have an issue connecting to servers that have SSLv3 disabled but if they have the latest patches\service packs installed then IE does have an option to use TLS1.0. With that said, I don't think we heard from even one user that their XP \ IE6 machine couldn't connect after disabling SSLv3. In that event I would suggest to install FireFox or Google Chrome if your site\school supports it. I hope this helps.
Thanks, William Clarke ITS System Administrator Bard College at Simon's Rock 84 Alford Road Great Barrington, MA 01230 (413) 528-7428 (voice) (413) 528-7405 (fax) wclarke () simons-rock edu On 3/24/2015 11:47 AM, Woodruff, Dan wrote:
We are working to disable SSLv3 in favor of at least TLS1.0 (possibly higher) on all web servers at the University. We have some concerns about browser compatibility issues with the versions of TLS. All modern browsers support at least TLSv1.0 so we anticipate that the impact to our community will be low if we disabled only SSLv3. If we disabled TLSv1.0 as well, it seems more browsers would have compatibility issues. Source: http://en.wikipedia.org/wiki/Transport_Layer_SecurityFor systems that are managed by the University, we can make broad configuration changes as needed, but we also have students and outside parties with machines not under our control. I’m wondering if other schools have gone through this effort to disable SSLv3 and/or TLSv1.0 and have any lessons learned or unexpected consequences they could share?Thanks in advance, Dan Woodruff University IT Security and Policy University of Rochester
Current thread:
- Lessons learned disabling SSLv3 Woodruff, Dan (Mar 24)
- Re: Lessons learned disabling SSLv3 Jeff Borton (Mar 24)
- Re: Lessons learned disabling SSLv3 Rob Taylor (Mar 24)
- Re: Lessons learned disabling SSLv3 Childs, Aaron (Mar 24)
- Re: Lessons learned disabling SSLv3 William Clarke (Mar 24)
- Re: Lessons learned disabling SSLv3 Thomas Carter (Mar 24)
- Re: Lessons learned disabling SSLv3 McClenon, Brady (Mar 24)
- Re: Lessons learned disabling SSLv3 Thomas Carter (Mar 25)
- Re: Lessons learned disabling SSLv3 Brad Judy (Mar 25)
- Re: Lessons learned disabling SSLv3 Velislav K Pavlov (Mar 25)
- Re: Lessons learned disabling SSLv3 McClenon, Brady (Mar 24)
- Re: Lessons learned disabling SSLv3 Will Froning (Mar 28)