http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
UPDATE 10/15: As Andrew and Julio point out in the comments below, AWS has since updated their default cipher security policies. Replace steps 5 and 6.
To modify the ciphers on AWS ELBs, follow the following steps:
1) Log into the AWS console and click on "Load Balancers."
2) Find the load balancer that handles your site's traffic (you shouldn't need to worry about internal VPC LBs, etc.)
3) Click the "Listeners" tab
4) Find the HTTPS/443 listener and click "Edit" under the cipher column
5) Change the policy to "ELBSecurityPolicy-2014-10" which disables SSLv3 for you.
6) Save.
This should be sufficient to mitigate this risk with the information that is currently known.
Actually, the Predefined Security Policy ELBSecurityPolicy-2014-10 does this for you. It might have come online since you wrote this blog post, but the latest security policy removes support for SSLv3.
ReplyDeleteThanks, Andrew, I did this yesterday afternoon and didn't see it, but I'll definitely update the post.
DeleteYou can also use Amazon's new Predefined Security Policy called "ELBSecurityPolicy-2014-10", which is basically ELBSecurityPolicy-2014-01 without SSLv3 :-)
ReplyDeleteThanks, Julio! I've updated the post with the new info, since Amazon hadn't made this change when I first wrote this post.
Delete