TL;DR: Remove SSLv3 – the impact is likely very small
We’ve now removed SSLv3 from about 1000 servers in our environment. So far, we’ve only had one issue – a script used to call an API started to fail. The issue was the ruby rest client > 1.7.0. (Yes, that’s greater-than.)
Removing from Apache
SSLv3 is easy to remove in Apache. You probably want this in your ssl.conf (or whatever the equivalent is for your distro):
SSLProtocol all -sslv2 -sslv3
This removes both SSLv2 and SSLv3 (both are known to have vulnerabilities), and relies on TLS. This is good.
Removing from Nginx
It’s similar for Nginx – find any instances of “ssl_protocols” in your conf files in /etc/nginx (or your distro’s equivalent), and change that line to read:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
You can test whether or not SSLv3 is being used by your server by running:
openssl s_client -connect localhost:443 -ssl3
If you receive a handshake error, you’re good. No SSLv3 for you. If you receive certificates and other info back, then SSLv3 is enabled, and you should change that.
Change the port if you want to check a different service (mail, etc).
Removing SSLv3 does remove a protocol that older browsers may use to connect to your server. It’s most likely to impact unpatched version of IE6, or browsers on old mobile devices. In practice, it has been an extremely small segment of our base (it appears to be < 0.1%) or so. Of course, analyze your client base to see for sure.
I’m beginning to copy over my technology-related posts from Google+ to this blog, mostly so I have an easy-to-read record of them. This one was originally published on 15 October 2014: Some Real-World Info on POODLE (CVE-2014-3566)