[solved] SSL Labs says I have a POODLE problem

jrm_at_letsencrypt · October 25, 2017, 9:53pm

I’ve installed LetsEncrypt, and have a certificate (with alternate names for my various domains) up and running. (Thanks for this, by the way!) However, when I do the recommended test at SSL Labs, their report claims that (a) I’m vulnerable to POODLE and (b) I accept RC4, but only with older protocols.

I’m confused, because I can see the POODLE and RC4-related options in /etc/letsencrypt/options-ssl-apache.conf, and the Include statement in domain-le-ssl.conf in my site files that should be loading them. I’ve also tried putting the options directly into domain-le-ssl.conf, just in case that had something to do with it (of course, there was no change). Otherwise, the sites are all seem to be working properly under ssl.

Any advice out there on how to proceed? I’d post some domain information, but I’m not sure I should be advertising links to what may be poodle-sensitive installations…

schoen · October 25, 2017, 11:58pm

Hi @jrm_at_letsencrypt,

It’s hard for me to think of a threat model in which it’s bad to mention the site name here, since people can easily make such a list by scanning every name for which Let’s Encrypt (or any public CA) has ever issued a certificate.

I would suggest running

grep -r SSLCipherSuite /etc/apache2

and

grep -r SSLProtocol /etc/apache2

to find other file that might be setting different defaults for your cryptographic options in Apache.

jrm_at_letsencrypt · October 26, 2017, 12:48am

Fair point re scanning; excuse/forgive my paranoia and middling competence in all of this.

Anyway, your greps were helpful; I found some-uncommented-out defaults in ssl.conf which, when replaced with POODLE/RC4 stuff, did the trick. Thanks!

system · November 25, 2017, 12:48am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.