How to fix the POODLE SSL issue on IIS
There was a recent SSL vulnerability reported called POODLE (Padding Oracle On Downgraded Legacy Encryption), whereby if a user is connected to your Web server using SSL v3, there is a risk that an attacker can conduct a man-in-the-middle attack. IronBox customers are already protected, but if you’re using Microsoft IIS here’s how to fix this issue.
Fixing POODLE simply entails disabling SSL v3 on your server. To do this, simply add a DWORD called Enabled and set it to 0 under the following:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
Restart your server and you’re done. For your convenience, I’ve the same script we use on our own production servers (DisableSSLv3_Server) for your reference. Then, head on over to https://www.ssllabs.com/ssltest/ and test your server. Enjoy,
–Kevin