SSLv3 poodle vulnerability
Yesterday, Google security researchers have disclosed a new vulnerability on SSL protocol.
Fortunately, this vulnerability is only on an old version of the SSL protocol: SSLv3 (15 years old protocol).
An attacker can force a browser to downgrade the protocol version used to cipher traffic to SSLv3 in order to exploit the POODLE vulnerability and access to data in clear.
Some reading about SSLv3 Poodle vulnerability:
Today’s article is going to explain how to use HAProxy to simply prevent using SSLv3 or to prevent those users to reach your applications and print them a message.
Disable SSLv3 in HAProxy
In SSL offloading mode
In this mode, HAProxy is the SSL endpoint of the connection.
It’s a simple keyword on the frontend bind directive:
bind 10.0.0.1:443 ssl crt /pat/to/cert.pem no-sslv3
In SSL forward mode
In this mode, HAProxy forwards the SSL traffic to the server without deciphering it.
We must setup an ACL to match the SSL protocol version, then we can refuse the connection. This must be added in a **frontend** section:
tcp-request inspect-delay 2s
acl sslv3 req.ssl_ver 3
tcp-request content reject if sslv3
Communicate a message to users
Denying sslv3 is a good way, but a better one would to educate as well users who are using this protocol.
The configuration below shows how to redirect a user to a specific page when they want to use your application over an SSLv3 connection. Of course, HAProxy must allow itself SSLv3:
bind 10.0.0.1:443 ssl crt /pat/to/cert.pem
acl sslv3 ssl_fc_protocol SSLv3
# first rule after all your ‘http-request deny’ and
# before all the redirect, rewrite, etc….
http-request allow if sslv3
# first content switching rule
use_backend bk_sslv3 if sslv3
errorfile 503 /etc/haproxy/pages/sslv3.http
And the content of the file /etc/haproxy/pages/sslv3.http:
HTTP/1.0 200 OK
SSLv3 forbidden for your safety:<BR>
If you want to browse this website, you should upgrade your browser.