Disabling SSLv3

With POODLE the time has come to disable SSLv3 everywhere. There will be clients that break and need fixing but it needs doing. You can read more details and background on the vulnerability.

Here’s a few useful snippets from my experience with it this week:

Apache

Make sure the combination you have for the SSLProtocol line disables SSLv2 and v3 – something like:
SSLProtocol All -SSLv2 -SSLv3

DataPower

Ensure your crypto profiles have SSLv2 and v3 disabled in the options line:

  switch <domain>
  co 
  crypto 
  profile <profile>
  option-string OpenSSL-default+Disable-SSLv2+Disable-SSLv3
  exit 
  exit 
  write mem 

Java

If you have problems with handshakes from Java client process force the protocols to use with
-Dhttps.protocols=TLSv1

nginx

Make sure the ssl_protocols line in your SSL configuration doesn’t have SSLv3 in it.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

nodejs

Make sure you don’t have secureProtocol:SSLv3_method anywhere in https options – use TLSv1_method instead if it’s really needed.

Websphere

See Security bulletin

Review of Elasticsearch Server 2nd Edition

Elasticsearch Server Second Edition is a good book to read if you’re getting started with Elasticsearch or considering using it. It goes through all the main areas of getting your data indexed and then searching and analysing it.

The book is well written and easy to read through and serves well as a reference guide to refer back to later. It has helped me get an overview of some of the features of Elasticseach that I’ve not yet used, some of which I hope to explore in further depth following on from the examples in the book. All of the chapters in the book include useful references to sources for further information on the topic covered and for more in-depth coverage the authors recommend going on to read their other book, Mastering Elasticsearch which I hope to read as well as a follow on.

Recovering encrypted filesystems

  1. Boot from Live CD / USB
  2. Decrypt the filesystem
    cryptsetup luksOpen /dev/sda5 *hostname*
    
  3. Mount filesystems
    mount /dev/dm-2 /mnt
    mount /dev/dm-3 /mnt/home
    mount /dev/sda1 /mnt/boot
    mount --bind /dev /mnt/dev
    mount --bind /sys /mnt/sys
    mount --bind /proc /mnt/proc
    
  4. Enter chroot
    chroot /mnt

/etc/crypttab should have: sda5crypt UUID=*sda5uuid*