Re: Lessons learned disabling SSLv3

["Childs, Aaron" <aaron () WESTFIELD MA EDU>]

Hi Dan,

We have been working to disable SSLv3 for a little while now with fairly low impact to our campus community.  As you 
disable SSLv3 and tweak supported cipher suites you can test your server with Qualys SSL Server test 
(https://www.ssllabs.com/ssltest/analyze.html) and that will show you which OS/Browser combinations may have problems 
connecting to your site.

Have a good day,
Aaron

[cid:image004.jpg@01D06632.E7641C00]  Aaron Childs   Associate Director

[cid:image003.png@01CF5889.646358F0]

Infrastructure Services
Information Technology Services
Wilson Hall - 577 Western Ave. Westfield MA 01086
P  413.572.5527   F 413.572.5615
aaron () westfield ma edu<mailto:aaron () westfield ma edu>



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Woodruff, Dan
Sent: Tuesday, March 24, 2015 11:48 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Lessons learned disabling SSLv3

We are working to disable SSLv3 in favor of at least TLS1.0 (possibly higher) on all web servers at the University. We 
have some concerns about browser compatibility issues with the versions of TLS. All modern browsers support at least 
TLSv1.0 so we anticipate that the impact to our community will be low if we disabled only SSLv3. If we disabled TLSv1.0 
as well, it seems more browsers would have compatibility issues. Source: 
http://en.wikipedia.org/wiki/Transport_Layer_Security

For systems that are managed by the University, we can make broad configuration changes as needed, but we also have 
students and outside parties with machines not under our control. I'm wondering if other schools have gone through this 
effort to disable SSLv3 and/or TLSv1.0 and have any lessons learned or unexpected consequences they could share?

Thanks in advance,

Dan Woodruff
University IT Security and Policy
University of Rochester