2

After reading about Poodle secutrity bug, I have disabled SSLv3 on my servers and browsers.

But there are several clients that do not expose settings detailed enough via their own means of configuration, e.g. owncloud, uzbl-browser. Also, come to think about it, it is kind of cumbersome to go through every single client...

Apart from rebuilding SSL libraries they use, is there way how to set up a system-wide default or a policy for simplistic (or "irresponsible", if you want) clients like that?

I was kind of expecting to find something in /etc/ssl but that only seems to address certificates and autorities.

Alois Mahdal
  • 391
  • 1
  • 5
  • 16
  • 1
    The simple answer is no, unfortunately this is not possible. – Xander Oct 15 '14 at 20:06
  • 1
    Because Poodle relies on adaptive chosen plaintext, it's really only web browsers that are vulnerable, which should reduce your workload a little – paj28 Oct 15 '14 at 20:56
  • @paj28 That's not accurate, not just browsers go through HTTPS (HTTP API's, for example). – Robert Nov 06 '14 at 15:11
  • 1
    @Robert - Only browsers are vulnerable to Poodle. See [this answer](http://security.stackexchange.com/questions/70719/ssl3-poodle-vulnerability) for more information. – paj28 Nov 06 '14 at 15:14

2 Answers2

2

Its possible to make changes to the TCP/IP SSL levels, but not really considered a policy per say, You might be able to use a deployment service to make the changes using AutoIT (I make company wide changes with this as my deployment asset.

1

If you implement SSL-proxying, you can configure your proxy server (e.g. Squid) to not use SSLv3 to any side of the connection (client-to-proxy and proxy-to-web).

ThoriumBR
  • 51,983
  • 13
  • 131
  • 149