Educause Security Discussion mailing list archives
Re: Lessons learned disabling SSLv3
From: Thomas Carter <tcarter () AUSTINCOLLEGE EDU>
Date: Wed, 25 Mar 2015 14:57:35 +0000
The great thing about the SSLLabs test is it will show what devices/browsers can still connect and how. Thomas Carter Network and Operations Manager Austin College 903-813-2564 [AusColl_Logo_Email] From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of McClenon, Brady Sent: Tuesday, March 24, 2015 2:52 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Lessons learned disabling SSLv3 We had an issue where we disabled SSLv3 and exploitable/broken ciphers and since the application only supported TLSv1.0 in addition the SSLv3 we ended up with on 3 ciphers available to use. It didn't cause any issues, but it was a reminder to be careful about how we test what ciphers are left available before making changes. Brady McClenon Information Technology Security Administrator Information Technology Services - IT Security B237 Milne Library SUNY College at Oneonta 607-436-3203 "Quotes found on the internet are not always accurate." - Abraham Lincoln From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Thomas Carter Sent: Tuesday, March 24, 2015 2:25 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Lessons learned disabling SSLv3 We haven't had any major problems. We did have to be careful with a couple of legacy apps where SSL is used for application communication and those legacy apps couldn't use TLS. Those systems aren't accessed via browsers anyway so we were able to secure them in other ways. Thomas Carter Network and Operations Manager Austin College 903-813-2564 [AusColl_Logo_Email] From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Woodruff, Dan Sent: Tuesday, March 24, 2015 10:48 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Lessons learned disabling SSLv3 We are working to disable SSLv3 in favor of at least TLS1.0 (possibly higher) on all web servers at the University. We have some concerns about browser compatibility issues with the versions of TLS. All modern browsers support at least TLSv1.0 so we anticipate that the impact to our community will be low if we disabled only SSLv3. If we disabled TLSv1.0 as well, it seems more browsers would have compatibility issues. Source: http://en.wikipedia.org/wiki/Transport_Layer_Security For systems that are managed by the University, we can make broad configuration changes as needed, but we also have students and outside parties with machines not under our control. I'm wondering if other schools have gone through this effort to disable SSLv3 and/or TLSv1.0 and have any lessons learned or unexpected consequences they could share? Thanks in advance, Dan Woodruff University IT Security and Policy University of Rochester
Current thread:
- Lessons learned disabling SSLv3 Woodruff, Dan (Mar 24)
- Re: Lessons learned disabling SSLv3 Jeff Borton (Mar 24)
- Re: Lessons learned disabling SSLv3 Rob Taylor (Mar 24)
- Re: Lessons learned disabling SSLv3 Childs, Aaron (Mar 24)
- Re: Lessons learned disabling SSLv3 William Clarke (Mar 24)
- Re: Lessons learned disabling SSLv3 Thomas Carter (Mar 24)
- Re: Lessons learned disabling SSLv3 McClenon, Brady (Mar 24)
- Re: Lessons learned disabling SSLv3 Thomas Carter (Mar 25)
- Re: Lessons learned disabling SSLv3 Brad Judy (Mar 25)
- Re: Lessons learned disabling SSLv3 Velislav K Pavlov (Mar 25)
- Re: Lessons learned disabling SSLv3 McClenon, Brady (Mar 24)
- Re: Lessons learned disabling SSLv3 Will Froning (Mar 28)