Coincidentally, I was just finishing up a series on HTTPS on OS X Server when I learned about the Poodle bug. Here’s how to defeat the bug on OS X Mavericks Server.
UPDATE (17 October 2014): None of this is now required, as the Server app has been been updated by Apple, and the SSLv3 fix is enforced directly in
The original post from 15 October 2014 follows below.
Exploiting the Poodle bug, which is now being reported very widely in the mainstream press (e.g., here), apparently relies on forcing a degradation of the connection protocol back to the older SSL version 3. One straightforward way to prevent epxloitation of the bug, therefore, is to disable support for the older standard altogether.
Here’s how to do it quickly and easily on OS X Server, via the default SSL site configuration file which lives at:
Start by creating a new configuration file which contains the following lines:
# # Quick fix to disable SSLv3 -- load this as an include in 0000_any_443_.conf.default # CodedMemes.com # <IfModule mod_ssl.c> SSLProtocol -ALL -SSLv3 +TLSv1 SSLProxyProtocol -ALL -SSLv3 +TLSv1 </IfModule>
Note that the only change we’re making here is to change
-SSLv3, so as to disable the protocol. (Given the
-All, this is somewhat overkill: we could also just remove the
+SSLv3 and leave it at that.)
Store this new configuration file in an appropriate location, such as:
Now we can load it from
0000_any_443_.conf.default via the following include, inserted at the end of the file, just before the closing
This should yield a full
0000_any_443_.conf.default which looks something like the following (with Apple’s opening comments at the top of the file not shown):
<VirtualHost *:443 > ServerAdmin firstname.lastname@example.org DocumentRoot "/Library/Server/Web/Data/Sites/Default" DirectoryIndex index.html index.php /xcode/ /wiki/ default.html CustomLog "/var/log/apache2/access_log" combinedvhost ErrorLog "/var/log/apache2/error_log" <IfModule mod_ssl.c> SSLEngine On #SSL-CERTIFICATE-DIRECTIVES-PLACEHOLDER# SSLCipherSuite "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM" SSLProtocol -ALL +SSLv3 +TLSv1 SSLProxyEngine On SSLProxyProtocol -ALL +SSLv3 +TLSv1 </IfModule> <Directory "/Library/Server/Web/Data/Sites/Default"> Options All +MultiViews -ExecCGI -Indexes -Includes AllowOverride None <IfModule mod_dav.c> DAV Off </IfModule> <IfDefine !WEBSERVICE_ON> Deny from all ErrorDocument 403 /customerror/websitesoff403.html </IfDefine> </Directory> Include /Library/Server/Web/Config/apache2/extra/httpd_grm_sslv3_disable.conf </VirtualHost>
Note that the details may differ slightly, depending on how the server has been configured — I’m including the above purely as an example. In particular, if your server uses a different protocol set, your include file should be adjusted to match — keeping everything the same except for excluding SSLv3.
Now just restart Apache, using the usual method:
sudo apachectl graceful
All should be well now, and if you test your domain via the server test at SSL Labs, you should find your server no longer provides SSLv3 support.
As one quick postscript, this could also be paired with a
.plist file and turned into a web app; however, since adding the include directly to the
0000_any_443_.conf.default seems to do the trick for vhosts as well, it’s not clear whether there would be much benefit from the added effort. There is, after all, little advantage to be gained from enabling the fix only on some sites and not on others.
All material on this site is carefully reviewed, but its accuracy cannot be guaranteed, and some suggestions offered here might just be silly ideas. For best results, please do your own checking and verifying. This specific article was last reviewed or updated by Greg on .