I am running pure-ftpd like this: /usr/sbin/pure-ftpd -A -c10 -B -C3 -z -D -e -fftp -H -I15 -lpam -L2000:8 -m4 -p30000:30100 -s -u40 -x -r -i -k99 -G -Z -Y1 -J'HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3' but in syslog-ng monitoring I get an error: pure-ftpd: (?@?) [ERROR] SSL/TLS: Invalid TLSCipherSuite specified 'HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3' I tried several variations without any luck. The only one that worked without a problem it was this one (in the configuration file): TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3 then run: /usr/sbin/pure-config.pl /etc/pure-ftpd/pure-ftpd.conf Running: /usr/sbin/pure-ftpd -A -c10 -B -C3 -d -z -D -e -fftp -H -I15 -lpam -L2000:8 -m4 -p30000:30100 -s -u40 -x -r -i -k99 -G -Z -Y1 -JHIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3 but with this one, only SSLv2 is disabled. I found this command at: http://download.pureftpd.org/pub/pure-ftpd/doc/README and there is says: > '-J ': Sets the list of ciphers that will be accepted for SSL/TLS connections. > For example: -J HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3 > Prefixing the list with -S: totally disables SSLv3. I think this -S might solve my problem but I can't figure out how to use it.

I'm trying to disable SSLv3 to avoid the Poodle problem. I'm using the following instructions as a guidleine: https://access.redhat.com/solutions/1232413 I've applied the following line to my config file: SSLProtocol All -SSLv2 -SSLv3 and restarted apache, but it looks like I'm still vulnerable. I'm using this tool to verify: https://access.redhat.com/labs/poodle/ I've also done a grep to make sure SSL is not active anywhere else, which it isn't. I came across this post: https://unix.stackexchange.com/questions/162478/poodle-disabling-sslv3-in-apache , the accepted answer states that you have to put in the above line in every vhost stanza, is this true? I do have other vhosts on this server but they are required to be secure. ** EDIT: Adding sanatised config file for the site with SSL references. ** ServerAdmin webmaster@xxxxxx.xxx DocumentRoot "/html/xxxxxx.xxxxxx.xxx" ServerAlias xxxxxx.xxxxxx.xxx ServerAlias xxxxxx.xxxxxx.xxx ServerName xxxxxx.xxxxxx.xxx ErrorLog logs/xxxxxx.xxxxxx.xxx-error_log CustomLog logs/xxxxxx.xxxxxx.xxx-access_log common ServerAdmin webmaster@xxxxxx.xxx DocumentRoot "/html/xxxxxxxxxxx/xxxxxx” ServerAlias xxxxxx.xxxxxx.xxx ServerAlias xxxxxx.xxxxxx.xxx ServerName xxxxxx.xxxxxx.xxx ErrorLog logs/xxxxxx.xxxxxx.xxx-error_log CustomLog logs/xxxxxx.xxxxxx.xxx-access_log common SSLEngine on SSLCertificateFile /path/to/cert/xxxxxx.xxxxxx.xxx.crt SSLCertificateKeyFile /path/to/key/xxxxxx.xxxxxx.xxx.key SSLCertificateChainFile /path/to/chain/xxxxxx.xxxxxx.xxx.ca SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ALL:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn DirectoryIndex index.php index.htm index.html Options -Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews AllowOverride All Order allow,deny Allow from all My other vhost files are just standard configs for port 80, there's nothing special about them. sudo service httpd configtest returns Syntax OK.

Is it possible to edit sshd_config or ssh_config, such that the SSH connection into a machine configured to use TLS1.2 is successful and rejects connections configured to use TLS1.1 and below, as well as SSL3 and below? Is there any other way to do this? This is on Fedora.

In wake of [the newly-discovered POODLE vulnerability](http://www.zdnet.com/google-reveals-major-flaw-in-outdated-but-widely-used-ssl-protocol-7000034677/) , I'd like to disable SSLv3 on all of my SSH servers. How do I achieve this with OpenSSH?

I'm having a problem connecting to a website that is hosted with CloudFlare using cURL. When I try to connect to the website with HTTPS (using `curl -v https://www.xxxxxx.com `), it says: * About to connect() to www.xxxxxx.com port 443 (#0) * Trying 2400:cb00:2048:1::681c:116e... * Connected to www.xxxxxx.com (2400:cb00:2048:1::681c:116e) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP) * Cannot communicate securely with peer: no common encryption algorithm(s). * Error in TLS handshake, trying SSLv3... > GET / HTTP/1.1 > User-Agent: curl/7.29.0 > Host: www.xxxxxx.com > Accept: */* > * Connection died, retrying a fresh connect * Closing connection 0 * Issue another request to this URL: 'https://www.xxxxxx.com ' * About to connect() to www.xxxxxx.com port 443 (#1) * Trying 2400:cb00:2048:1::681c:116e... * Connected to www.xxxxxx.com (2400:cb00:2048:1::681c:116e) port 443 (#1) * TLS disabled due to previous handshake failure * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP) * Cannot communicate securely with peer: no common encryption algorithm(s). * Closing connection 1 curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s). I contacted CloudFlare about this issue and they say its because cURL is trying to connect using SSLv3 and they disabled it because of the POODLE vulnerability. I'm able to connect with cURL v7.38.0 on FreeBSD 10 no problems, but not with cURL v7.29.0 on CentOS 6.5. If it is because it's trying to connect to SSLv3, then how do I disable SSLv3 on cURL? Or is it something else?

I've got a problem when I upgraded my OpenSSL on RHEL 6.5. The OpenSSL is missing the library libcrypto.so.10. Instead the openssl 1.0.1j created lib is libcrypto.so.1.0.0. I've made a soft link, but it still does not work for other packages using libcrypto.so.10. Does anyone have experience on this problem? **Explanation (addendum/edit):** this is required info since many will be looking to use the 1.0.1j version directly from the OpenSSL package to escape the latest (2014.10.15) "POODLE" vulnerability in OpenSSL. If you get the tar.gz file from openssl.org at this time, you should not have a problem. There previously was a problem for a short time and that publication may still exist on other sites, so avoid taking down the file other than at openssl.org: openssl downloads . Please read through the SSL3 warning in the @jvp answer regarding RPM's since the updates do not completely solve server problems that arise when servers permit such connections. a discussion of this additional vulnerability can be found at: ncas division of us-cert.gov See the answer regarding using Red Hat based RPM's for EL6 and EL7. Look to your /usr/lib directory for 32-bit and /usr/lib64 for 64 bit and the layout should be as follows: - libcrypto.a - libcrypto.so -> libcrypto.so.1.0.1j - libcrypto.so.10 -> libcrypto.so.1.0.1j - libcrypto.so.1.0.1j - .libcrypto.so.1.0.1j.hmac - .libcrypto.so.10.hmac -> .libcrypto.so.1.0.1j.hmaclibssl.a - libssl.so -> libssl.so.1.0.1j - libssl.so.10 -> libssl.so.1.0.1j - libssl.so.1.0.1j - .libssl.so.1.0.1j.hmac - .libssl.so.10.hmac -> .libssl.so.1.0.1j.hmac There are also the lib sub-directories openssl and package, but these have never been a problem.