Disable SSLv3 system-wide for all clients?

Question

After reading about Poodle secutrity bug, I have disabled SSLv3 on my servers and browsers.

But there are several clients that do not expose settings detailed enough via their own means of configuration, e.g. owncloud, uzbl-browser. Also, come to think about it, it is kind of cumbersome to go through every single client...

Apart from rebuilding SSL libraries they use, is there way how to set up a system-wide default or a policy for simplistic (or "irresponsible", if you want) clients like that?

I was kind of expecting to find something in /etc/ssl but that only seems to address certificates and autorities.

The simple answer is no, unfortunately this is not possible. — Xander, Oct 15 '14 at 20:06
Because Poodle relies on adaptive chosen plaintext, it's really only web browsers that are vulnerable, which should reduce your workload a little — paj28, Oct 15 '14 at 20:56
@paj28 That's not accurate, not just browsers go through HTTPS (HTTP API's, for example). — Robert, Nov 06 '14 at 15:11
@Robert - Only browsers are vulnerable to Poodle. See this answer for more information. — paj28, Nov 06 '14 at 15:14

score 2 · Answer 1 · answered Oct 15 '14 at 20:32

2

Its possible to make changes to the TCP/IP SSL levels, but not really considered a policy per say, You might be able to use a deployment service to make the changes using AutoIT (I make company wide changes with this as my deployment asset.

answered Oct 15 '14 at 20:32

Cameron Does Things

592
3
10

score 1 · Answer 2 · answered Oct 15 '14 at 20:21

1

If you implement SSL-proxying, you can configure your proxy server (e.g. Squid) to not use SSLv3 to any side of the connection (client-to-proxy and proxy-to-web).

answered Oct 15 '14 at 20:21

ThoriumBR

53,925
13
135
152

Disable SSLv3 system-wide for all clients?

2 Answers2