The Interwebs world has been rocked again with yet another server vulnerability. This one is called POODLE and is anything but cute and cuddly.
What’s the issue?
There’s a problem with v3.0 of the SSL (Secure Sockets Layer) protocol that most Linux-based servers still run today.
It allows for the plaintext (decrypted) credentials to be read allowing for the possibility of somebody to snoop into your “secure” transmissions.
The v3.0 SSL service protocol is pretty old – in
Newer protocols are used today, TLS 1.0, 1.1, or 1.2 but when these fail the server will automatically try a fallback connection via SSL v3.0 and that’s the issue here.
Does this affect SSL Certificates?
How do know if your server is affected by this issue?
The Poodlebleed website has a small testing script that you can use to see if your server is affected.
Fixing the issue on the server
There are quite a few services on a server which may use the SSL v3.0 protocol including web servers (Apache, Nginx, Lighttpd) and email services such as Sendmail and Dovecot.
Here’s a great resource on how to test and fix each of these services.