Fork me on GitHub

BetterCrypto⋅org

Applied Crypto Hardening

The POODLE Killed It

The POODLE attack pretty much killed SSLv3 which we did not recommend anyway anymore. Our bettercrypto guide generally does not recommend SSLv3 for Servers. You will find in our guide that we generally always excluded SSLv3:

1
2
SSLProtocol All -SSLv2 SSLv3
SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3</b>:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'

If you look at the settings above, you will find that the SSLProtocol disables SSLv3, however the Cipherstring, at first sight, seems to enable it again. This is however not the case! The abbreviation +SSLv3 in the SSLCipherSuite string simply enables certain cipher combinations that were specified in SSLv3 and TLS 1.0 alike. It does not enable SSLv3!