How to Disable SSLv3 on OS X Server and Defeat the Poodle Bug

Photo of Greg
Photo by subcircle - http://flic.kr/p/LgJpn

Coincidentally, I was just finishing up a series on HTTPS on OS X Server when I learned about the Poodle bug. Here’s how to defeat the bug on OS X Mavericks Server.

UPDATE (17 October 2014): None of this is now required, as the Server app has been been updated by Apple, and the SSLv3 fix is enforced directly in httpd_server_app.conf.

The original post from 15 October 2014 follows below.

Exploiting the Poodle bug, which is now being reported very widely in the mainstream press (e.g., here), apparently relies on forcing a degradation of the connection protocol back to the older SSL version 3. One straightforward way to prevent epxloitation of the bug, therefore, is to disable support for the older standard altogether.

Here’s how to do it quickly and easily on OS X Server, via the default SSL site configuration file which lives at:

/Library/Server/Web/Config/apache2/sites/0000_any_443_.conf.default

Start by creating a new configuration file which contains the following lines:

#
# Quick fix to disable SSLv3 -- load this as an include in 0000_any_443_.conf.default
# CodedMemes.com
#

	<IfModule mod_ssl.c>
		SSLProtocol -ALL -SSLv3 +TLSv1
		SSLProxyProtocol -ALL -SSLv3 +TLSv1
	</IfModule>

Note that the only change we’re making here is to change +SSLv3 to -SSLv3, so as to disable the protocol. (Given the -All, this is somewhat overkill: we could also just remove the +SSLv3 and leave it at that.)

Store this new configuration file in an appropriate location, such as:

/Library/Server/Web/Config/apache2/extra/httpd_grm_sslv3_disable.conf

Now we can load it from 0000_any_443_.conf.default via the following include, inserted at the end of the file, just before the closing :

	Include /Library/Server/Web/Config/apache2/extra/httpd_grm_sslv3_disable.conf

This should yield a full 0000_any_443_.conf.default which looks something like the following (with Apple’s opening comments at the top of the file not shown):

<VirtualHost *:443 >
	ServerAdmin admin@example.com
	DocumentRoot "/Library/Server/Web/Data/Sites/Default"
	DirectoryIndex index.html index.php /xcode/ /wiki/ default.html
	CustomLog "/var/log/apache2/access_log" combinedvhost
	ErrorLog "/var/log/apache2/error_log"
	
	<IfModule mod_ssl.c>
		SSLEngine On
#SSL-CERTIFICATE-DIRECTIVES-PLACEHOLDER#
		SSLCipherSuite "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM"
		SSLProtocol -ALL +SSLv3 +TLSv1
		SSLProxyEngine On
		SSLProxyProtocol -ALL +SSLv3 +TLSv1
	</IfModule>
	
	<Directory "/Library/Server/Web/Data/Sites/Default">
		Options All +MultiViews -ExecCGI -Indexes -Includes
		AllowOverride None
		<IfModule mod_dav.c>
			DAV Off
		</IfModule>
		<IfDefine !WEBSERVICE_ON>
			Deny from all
			ErrorDocument 403 /customerror/websitesoff403.html
		</IfDefine>
	</Directory>
	Include /Library/Server/Web/Config/apache2/extra/httpd_grm_sslv3_disable.conf
</VirtualHost> 

Note that the details may differ slightly, depending on how the server has been configured — I’m including the above purely as an example. In particular, if your server uses a different protocol set, your include file should be adjusted to match — keeping everything the same except for excluding SSLv3.

Now just restart Apache, using the usual method:

sudo apachectl graceful

All should be well now, and if you test your domain via the server test at SSL Labs, you should find your server no longer provides SSLv3 support.

As one quick postscript, this could also be paired with a .plist file and turned into a web app; however, since adding the include directly to the 0000_any_443_.conf.default seems to do the trick for vhosts as well, it’s not clear whether there would be much benefit from the added effort. There is, after all, little advantage to be gained from enabling the fix only on some sites and not on others.

All material on this site is carefully reviewed, but its accuracy cannot be guaranteed, and some suggestions offered here might just be silly ideas. For best results, please do your own checking and verifying. This specific article was last reviewed or updated by Greg on .

This site is provided for informational and entertainment purposes only. It is not intended to provide advice of any kind.