Patch drown apache SSL drown vulnerability

  • 2
    Mar

Patch drown apache SSL drown vulnerability

Patch drown vulnerability immediately, if you have an e-commerce website that’s running any online shopping service with an SSL certificate.

Your data and your customer data is at risk, earlier a openssl patch was released to patch drown vulnerability.

 

Big names in the technology fields were affected and massive numbers of web servers are still numbers, some of these names were Alibaba, Yahoo and many others.

 

First of all if you don’t want to visit any external sites, to check if your server is vulnerable, you can do the following from any linux computer:

openssl s_client -ssl2 -connect remote_server:443


If you get a response like this:

CONNECTED(00000003) 22255:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:

You’re safe! Otherwise you need to patch drown vulnerability, and it’s pretty much simple and what I will be showing you is:

 

How to patch drown vulnerability on linux:

First of all you need to make sure you’re not using any weak ciphers, and your key is not shared across multiple servers, then you need to do some configuration on your apache configurations.

 

1st step is using your favorite text editor in the CLI edit the ssl.conf file, for example here’s how to patch drown vulnerability on CentOS:

nano /etc/httpd/conf.d/ssl.conf

 

CTRL + w to search on nano and find this line:

SSLProtocol all -SSLv2 -SSLv3

 

or add the following:

 

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

ctrl+x to exit y and return to save.

This way you will be disabling the whole protocol and you have successfully applied the patch, it wouldn’t harm if you do a yum update while you’re at it.

 

Then one last step is restarting your web server to take effect of the patch, and you can do it this way:

service httpd restard

/etc/init.d/httpd restart

 

This was a mini guide on how to patch drown vulnerability, this was a high risk on all websites owners and hosting providers because all the data could be decrypted without the patch.

 

 

Comments are closed.