Guard against the SSLv3 Vulnerability (“POODLE”) in Zeus Web Server

[This post is more of a public service announcement regarding the recent SSL v3 flaw dubbed “POODLE” for the few remaining people still using Zeus Web Server out there]

You’ve probably seen the warnings about the critical design flaw in SSL v3 allowing attackers to decrypt encrypted connections, dubbed “POODLE” (Padding Oracle On Downgraded Legacy Encryption).

To cut a long story short, you need to disable SSLv3 in your web server right now.  If you’re running Zeus Web Server, here’s how:

  1. Upgrade to Zeus Web Server 4.3r5 (the last release ever, from January 2010)
  2. Add the following setting to %ZEUSHOME%/web/global.cfg:
    tuning!ssl3_allow_rehandshake never
  3. Restart Zeus Web Server:
    (As root) %ZEUSHOME%/restart-zeus

Questions in the comments, please. If you don’t have a copy of Zeus Web Server 4.3r5, I can’t help you with that, I’m afraid.

Update: more useful information on disabling SSLv3 in web browsers and other web servers on StackExchange.

Agree? Disagree? Join the conversation: