Dear customers,
Please be aware of the following security vulnerability disclosure that affects servers that have SSL 3.0 enabled:
On the 14 October, Google disclosed a vulnerability in the SSL 3.0 protocol which allows an attacker to have access to encrypted information that is transmitted over this SSL communications protocol. This security vulnerability is not linked to the security of any particular SSL certificate or brand of SSL, but to the SSL 3.0 protocol which puts personal information at risk if servers accept communications over it.
It is worth noting the SSL 3.0 protocol is 18 years old, and by today's standards, the more secure TLS protocol should be enforced for secure communications. As such, we strongly recommend all VPS, Cloud and Dedicated Server customers disable SSL 3.0 immediately. Major browsers such as Firefox are expected to disable SSL 3.0 in upcoming releases.
You can verify whether SSL 3.0 is enabled on your server by executing the following command, replacing "example.com:443" as necessary:
You will receive an output similar to this if SSL 3.0 is disabled:
To learn how to disable SSL 3.0, please visit the URL corresponding to the specific HTTP server you have:
Apache: mod_ssl - Apache HTTP Server Version 2.2
Nginx: Module ngx_http_ssl_module
Microsoft IIS: How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services
If you need help disabling SSL 3.0 on your server, please contact our 24x7 support team. We will be happy to help you.
Kind Regards,
The eUKhost team
Please be aware of the following security vulnerability disclosure that affects servers that have SSL 3.0 enabled:
On the 14 October, Google disclosed a vulnerability in the SSL 3.0 protocol which allows an attacker to have access to encrypted information that is transmitted over this SSL communications protocol. This security vulnerability is not linked to the security of any particular SSL certificate or brand of SSL, but to the SSL 3.0 protocol which puts personal information at risk if servers accept communications over it.
It is worth noting the SSL 3.0 protocol is 18 years old, and by today's standards, the more secure TLS protocol should be enforced for secure communications. As such, we strongly recommend all VPS, Cloud and Dedicated Server customers disable SSL 3.0 immediately. Major browsers such as Firefox are expected to disable SSL 3.0 in upcoming releases.
You can verify whether SSL 3.0 is enabled on your server by executing the following command, replacing "example.com:443" as necessary:
Code:
openssl s_client -ssl3 -connect example.com:443
Code:
SSL routines:SSL3_READ_BYTES:sslv3 alert handshakefailure:/xx/src/ssl/s3_pkt.c:xxxx:SSL alert number 40SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/xx/src/ssl/s3_pkt.c:xxx:
Apache: mod_ssl - Apache HTTP Server Version 2.2
Nginx: Module ngx_http_ssl_module
Microsoft IIS: How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services
If you need help disabling SSL 3.0 on your server, please contact our 24x7 support team. We will be happy to help you.
Kind Regards,
The eUKhost team
Comment