POODLE affects older standards of encryption, specifically Secure Socket Layer (SSL) version 3. It is a protocol flaw, not an implementation issue; every implementation of SSL 3.0 suffers from it. This vulnerability affects every piece of software that can be coerced into communicating with SSLv3. This means that any software that implements a fallback mechanism that includes SSLv3 support is vulnerable and can be exploited. Some common pieces of software that may be affected are web browsers, web servers, VPN servers, mail servers, etc.
It does not affect the newer encryption mechanism known as Transport Layer Security (TLS).
Generic Workarounds:
Any of these four solutions avoids the vulnerability.
To disable SSLv3 on the Apache web server, you will have to adjust the SSLProtocol directive provided by the mod_ssl module. This directive can be set either at the server level or in a virtual host configuration. Depending on your distribution's Apache configuration, the SSL configuration may be located in a separate file that is sourced.
On Ubuntu, the server-wide specification for servers can be adjusted by editing the file
/etc/apache2/mods-available/ssl.conf
If mod_ssl is enabled, a symbolic link will connect this file to the mods-enabledsubdirectory:
sudonano /etc/apache2/mods-available/ssl.conf
Save and close the file.
Restart the service to enable your changes.
sudo service apache2 restart
On CentOS, you can can adjust this in the SSL configuration file located here (if SSL is enabled):
sudonano /etc/httpd/conf.d/ssl.conf
Inside you can find the SSLProtocol directive. If this is not available, create it. Modify this to explicitly remove support for SSLv3:
SSLProtocol all -SSLv3 -SSLv2
Save and close the file. Restart the service to enable your changes.
sudo service httpd restart
In Windows Server 2003 to 2012 R2 the SSL / TLS protocols are controlled by flags in the registry set at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols.
To disable SSLv3,create a subkey at the above location (if it's not already present) named SSL 3.0 and, under that, a subkey named Server (if it's not already present). At this location
(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server)
Create a DWORD value named Enabled and leave it set at 0.
To disable SSLv2, create a subkey at the above location (if it's not already present) named SSL 2.0 and, under that, a subkey named Server (if it's not already present). At this location,
(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server)
Create a DWORD value named Enabled and leave it set at 0.
This is not tested on all versions, but it's probably safe to assume that a reboot is necessary for this change to take effect.
To disable SSLv3 in anHAProxy load balancer, you will need to open the haproxy.cfg file.
This is located at /etc/haproxy/haproxy.cfg:
sudonano /etc/haproxy/haproxy.cfg
In front end configuration, if you have SSL enabled, your bind directive will specify the public IP address and port. If you are using SSL, you will want to add no-sslv3 to the end of this line:
frontendname
bindpublic_ip:443 sslcrt/path/to/certsno-sslv3
Save and close the file.
You will need to restart the service to implement the changes:
sudo service haproxy restart
To disable SSLv3 in the Nginx web server, you can use the ssl_protocols directive. This will be located in the server or http blocks in your configuration.For instance, on Ubuntu, you can either add this globally to /etc/nginx/nginx.conf inside of the httpblock, or to each server block in the /etc/nginx/sites-enabled directory.
sudonano /etc/nginx/nginx.conf
To disable SSLv3, your ssl_protocols directive should be set like this:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
You should restart the server after you have made the above modification:
sudo service nginx restart