Insecure Transportation Security Protocol Supported (SSLv3)
Description
The remote service supports SSL 3.0, a cryptographic protocol that has been deprecated since 2015 due to fundamental security flaws. SSL 3.0 is vulnerable to protocol-level attacks including POODLE (Padding Oracle On Downgraded Legacy Encryption), which allows attackers to decrypt secure communications. Modern security standards require the use of TLS 1.2 or higher for encrypted communications.
Remediation
Disable SSL 3.0 support on all servers and services, and configure them to use only TLS 1.2 or TLS 1.3. Follow these steps:
1. Identify all services and applications currently supporting SSL 3.0
2. Update server configurations to explicitly disable SSL 3.0 and enable only TLS 1.2 and TLS 1.3
3. For web servers (Apache, Nginx, IIS), update the SSL protocol directives in configuration files
4. For application servers and custom applications, update SSL/TLS libraries to current versions and configure minimum protocol versions
5. Test the configuration using SSL scanning tools to verify SSL 3.0 is no longer accepted
6. Monitor for any legacy clients that may require SSL 3.0 and work to upgrade them
Example Apache configuration:
SSLProtocol -all +TLSv1.2 +TLSv1.3
Example Nginx configuration:
ssl_protocols TLSv1.2 TLSv1.3;
Refer to https://disablessl3.com/ for platform-specific guidance.