Mitigating Poodle / SSL 3.0 Issue

27 posts / 0 new
Last post
#1 Thu, 10/16/2014 - 14:50

Mitigating Poodle / SSL 3.0 Issue

It was recently discovered that SSL 3.0 is vulnerable to a man-in-the-middle attack, a method dubbed "Poodle". That's part of CVE-2014-3566, which is described here:

The problem is within the SSL protocol itself, and thus, it is recommended that SSL 3.0 be disabled.

The following describes how to do that:


In RHEL/CentOS, edit /etc/httpd/conf.d/ssl.conf.

In Ubuntu/Debian, edit /etc/apache2/mods-enabled/ssl.conf.

Look for a line beginning with SSLProtocol, it should look something like this:

SSLProtocol all -SSLv2

You need to modify it to look like this:

SSLProtocol all -SSLv2 -SSLv3

And then restart Apache:

RHEL/CentOS: /etc/init.d/httpd restart

Ubuntu/Debian: /etc/init.d/apache2 restart


Webmin will correct this issue automatically in the future. In the meantime, to disable SSLv3, edit this file:


And add the following line to the end:


Then restart Webmin:

/etc/init.d/webmin restart


Edit this file:


And add the following line to the end:


Then restart Usermin:

/etc/init.d/usermin restart

Thu, 10/16/2014 - 17:19

Would the same procedure apply to Usermin as well?

Thu, 10/16/2014 - 23:33

On all of my CentOS 6 & 7 boxes, "SSLProtocol ALL -SSLv2" is also declared in the /etc/httpd/conf/httpd.conf file as well, it must be changed in this location as well.

Fri, 10/17/2014 - 10:26 (Reply to #3)

Thanks for the heads up about this! While I didn't notice that on our main Virtualmin server, I'll review some other CentOS systems to see if that's common.


Thu, 10/30/2014 - 02:56 (Reply to #4)

That line is in my http.conf as well. Do I need to add -SSLv3 ?

SSLProtocol ALL -SSLv2

Sat, 10/18/2014 - 20:00 (Reply to #5)

Not declared in my httpd.conf running Virtualmin on CentOS Linux 5.11

Tue, 10/21/2014 - 03:56


I was wondering what could be done for Postfix and Dovecot SSL connections. I found this:

Discribing more or less what has been said here for Apache and adding some info for Postfix and Dovecot.

For Postfix, they mention 2 options related to the way you are running it, either "opportunistic SSL" or "mandatory SSL", but because I mainly use Virtualmin to setup my servers, I have trouble understanding the relationship between these 2 modes and the virtualmin parameters. Could somebody give me some pointers about the parameters in virtualmin that make my Postfix SSL "opportunistic" or "mandatory" ?

Thanks. Pierre.

Tue, 10/21/2014 - 15:44

There is a conflict going on with webmin and usermin and use only PCI secure protocols.

If you are using PCI protocols webmin uses the following:


Notice the +SSLv3 --- if you change that to the required !SSLv3 you can't connect to webmin or usermin.

Secure Connection Failed

An error occurred during a connection to Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)

How do you solve this issue ?

Tue, 10/21/2014 - 16:09

I found the solution to the PCI cyphers in usermin and webmin...

Set the follow in miniserv.conf


This makes the PCI scanning to pass

Tue, 10/21/2014 - 16:12 (Reply to #9)

hmm thats not pasting right

disable the SSLv3 --> !SSLv3

then add next to the first TLS --> :+TLSv1.1:+TLSv1.2

Tue, 10/21/2014 - 16:27 (Reply to #10)

If I add the suggested ssl_cipher_list in my miniserv.conf for webmin I get:


so back to ssl_version=10.

Tue, 10/21/2014 - 16:35 (Reply to #11)

That cypher list isn't pasting right -- it's missing a couple cyphers

Tue, 10/21/2014 - 16:39 (Reply to #12)

see for the right lines to add to miniserv

Tue, 10/21/2014 - 16:12

It sounds like there isn't a good way to solve this problem by changing the ciphers in Webmin and Usermin (though I read your post after I posted this, and sounds like you may have gotten that very thing working!).

However, the "ssl_version=10 " setting mentioned above will effectively disable SSLv2 and SSLv3 in Webmin and Usermin. Will that do what you're after?

There's a Webmin bug report open that discusses that here:

Tue, 10/21/2014 - 16:40 (Reply to #14)

I dont have a SF account so I can't add what PCI will require now

Tue, 10/21/2014 - 16:18

Eric you got google talk ? add me if you do -- sgrayban

Tue, 10/21/2014 - 16:44 (Reply to #16)

if anyone wants to contact me about the PCI issue add to your google talk

Wed, 11/12/2014 - 00:46

This will remove poodle vulnerability risk for webmin and usermin.

ssl_protocols = !SSLv2 !SSLv3 ssl_cipher_list=ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:MEDIUM:+TLSv1:+SSLv3:!SSLv2:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM

Note: The cipher and the protocol are distinct.

TLS1 for example can use SSLv3 cipher. For this reason it must be included is ssl_cipher_list to work correctly.

As for the protocols this explicitly denies SSLv3 and SSLv2.

Sat, 11/22/2014 - 07:18

I found a site that really helped getting everything secured with apache. I know this has been beaten to death but these cyphers and settings are what you need to pass PCI and secure against all the current hacks with apache...


SSLHonorCipherOrder on
SSLCompression Off
SSLProtocol all -SSLv2 -SSLv3

You can see the results by testing my billing server at

The only issue is the current cert was issued using SHA1 but that will not make the PCI scan fail but give you a warning that SHA1 certs will not be allowed after 2014.

Wed, 12/31/2014 - 08:43

I can't get this to work on my CentOS 6 VirtualMin.

I have this on my /etc/webmin/miniserv.conf

Wed, 12/31/2014 - 19:29

try this


Thu, 01/01/2015 - 01:29

I have the CA cert. installed... if I install this Chain cert., it will replace the CA one. How do I install this chain Certificate ?

when I check here It shows SAFE from Poodle & heartbleed but I'm getting one issue :

Update your certificate chain.
Your certificate chain is valid, but some older browsers may not recognize it. To support older browsers, download and install the missing intermediate certificate. | Download certificate
Thu, 01/01/2015 - 03:21

look in your SSL section -- look at the tabs -- the end one is what you are looking for

Fri, 01/02/2015 - 01:17

Thanks ... Resolved!

Fri, 04/03/2015 - 01:47

I wonder is the solution offered on for CentOS/RHEL 6.x:

SSLHonorCipherOrder On
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2

more complete as it disables all protocols and enables recommended +TLSv1 +TLSv1.1 +TLSv1.2 protocols only? Or it is the same with SSLProtocol all -SSLv2 -SSLv3

Sun, 11/27/2016 - 11:57
Francewhoa's picture

allsupported wrote that summary

It's based on this ticket

- - -
Senior Product Manager, and Co-Founder at Inc.
Love back your Virtualmin & Webmin community

Sun, 11/27/2016 - 12:02
Francewhoa's picture


p>Since Version 1.720 (24th November 2014)

SSL v2 and v3 are now disabled by default at Webmin install time, to block the POODLE attack. They can be re-enabled on the SSL Encryption page of the Webmin Configuration module.

- - -
Senior Product Manager, and Co-Founder at Inc.
Love back your Virtualmin & Webmin community

Topic locked