Why doesn't the TLS protocol work without the SSLv3 ciphersuites?

Question

While disabling SSLv3 from our ssl.conf files to overcome the Poodle vulnerability, I also disabled the SSLv3 ciphers using !SSLv3. With the ciphers disabled, we were not able to access the website through Firefox and IE. The following was the error message from Firefox:

An error occurred during a connection to xxxx.example.com.
Cannot communicate securely with peer: no common encryption algorithm(s).
(Error code: ssl_error_no_cypher_overlap)

So we went back and enabled the SSLv3 ciphersuite and it all started working fine. Right now, the SSLv3 protocol is disabled, but the SSLv3 ciphers are enabled.

• Am I assuming correctly that we got the error with one of the browsers because TLS ciphers were not available in the browser?
• Is it possible that the protocol used is TLSv3, but the ciphers are of SSLv3?

SSLProtocol all -SSLv2 -SSLv3
#SSLProtocol -all +SSLv3
#   SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:!MEDIUM:!LOW

We can upgrade the browsers at our office, but can't do that on our customer's machines. Is having SSLv3 protocol disabled, but with the ciphers enabled a recommended setup? In other words, are we okay with connecting through TLS with SSLv3 ciphers?

Answer 1

I presume from your ssl.conf setting that you are using the mod_ssl module from Apache web server. This module relies on OpenSSL to provide the cryptography engine.

From the documentation on OpenSSL, it states:

Protocol version: SSLv2, SSLv3, TLSv1.2. The TLSv1.0 ciphers are flagged with SSLv3. No new ciphers were added by TLSv1.1

You can confirm the above by running the following command:

$ openssl ciphers -v 'TLSv1' | sort
ADH-AES128-SHA          SSLv3 Kx=DH       Au=None Enc=AES(128)  Mac=SHA1
ADH-AES256-SHA          SSLv3 Kx=DH       Au=None Enc=AES(256)  Mac=SHA1
ADH-CAMELLIA128-SHA     SSLv3 Kx=DH       Au=None Enc=Camellia(128) Mac=SHA1
ADH-CAMELLIA256-SHA     SSLv3 Kx=DH       Au=None Enc=Camellia(256) Mac=SHA1
...

This means that if your configuration file excludes ciphersuite SSLv3, you are effectively removing support for TLSv1.0 too! That leaves you with ciphersuite TLSv1.2 only since support for SSLv2 has also been removed:

$ openssl ciphers -v 'ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:!MEDIUM:!LOW:!SSLv3' | sort
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
...

From the above, it is not hard to see why you should NOT remove SSLv3 from the ciphersuite. Disabling SSLv3 protocol is more than sufficient to protect your clients from POODLE vulnerability.

The error message you are experiencing is likely because you are using older browsers such as Firefox < 27.0 or Internet Explorer < 11.0 as these versions do not support TLSv1.2 by default.

Answer 2

POODLE is a protocol problem, not a cipher problem. (In fact, it works with both AES and DES, so you can see it's independent of the cipher used.) Disabling SSLv3 ciphers is not necessary (and, as you've discovered, probably not desirable). Disabling just the protocol is sufficient to protect against POODLE.

Answer 3

I wrote an article on how to get an A+ on the Qualys SSL Test and it contains details of favourable SSL configs:

ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

That's an NginX config so you may need to change the format slightly as it looks like you're using Apache. This can be implemented as a wider set of config changes to harden your SSL config.

source: https://scotthelme.co.uk/a-plus-rating-qualys-ssl-test/