SSL3 is over. Some servers keep it active because they need to serve pages to IE6/XP users. But, these days are over, as most of the updated to, at least IE8, and they have all the last updates allowing to connect using TLS 1.1 or 1.2.
SSL3 can also be enabled by default on older Windows Servers, like 2008 R2, even if you installed all Windows Updates.
Now, it’s time to disable SSL3 completely.
If your SSL3 is active, you may get one of these warnings from Qualys SSL Test:
- This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.
- This server uses SSL 3, which is obsolete and insecure. Grade capped to B.
It’s easy to disable it from a Windows registry, as described here.
Solution
Create a file, called DisableSSL3.reg, and copy that content on it:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "Enabled"=dword:00000000
Save it, double-click on it, and accept.
Finally, reboot, and all SSL3 server services are disabled on your Windows server.