FreeNAS Nginx Disable SSLv3 to Protect From Poodle

[iamanthony]

Sorry if this has been answered, but I would like to disable SSLv3 on my FreeNAS 9.2.1.8 box and can't find any information on it. What is the best way to disable SSLv3 on my FreeNAS box?

 

[DrKK]

Just for everyone's edification, POODLE is an SSLv3 vulnerability that was discovered about a month ago. Here is a decent post on it.

Not sure if this is even an issue in FreeNAS. I am sure someone can opine.

 

[anodos]

Just for everyone's edification, POODLE is an SSLv3 vulnerability that was discovered about a month ago. Here is a decent post on it.

Not sure if this is even an issue in FreeNAS. I am sure someone can opine.

Dang. My first thought was something ultrasonic or chemical. Hot wire?
I'm not concerned. I administer all of my internet-facing filers by telnet / rot13.

 

[iamanthony]

LOL thanks guys. Correct: poodle is an SSLv3 vulnerability, so the way to protect against it is to disable SSLv3. My FreeNAS 9.2.1.8 box is still supporting SSLv3. I know that to disable it in nginx, you would edit the nginx.conf file, particularly the ssl_protocols line, but there seems to be mixed opinions on editing that file directly. Has no one shown interest in disabling SSLv3 on their FreeNAS boxes?

Is anyone running the 9.3 beta? Is SSLv3 still enabled there?

 

[anodos]

LOL thanks guys. Correct: poodle is an SSLv3 vulnerability, so the way to protect against it is to disable SSLv3. My FreeNAS 9.2.1.8 box is still supporting SSLv3. I know that to disable it in nginx, you would edit the nginx.conf file, particularly the ssl_protocols line, but there seems to be mixed opinions on editing that file directly. Has no one shown interest in disabling SSLv3 on their FreeNAS boxes?

Is anyone running the 9.3 beta? Is SSLv3 still enabled there?

From what I understand, it would require the attacker to be between your client and freenas server. For a home user, a total non-issue. It'd be much more dangerous to randomly upgrade to a beta version of freenas. If you do that you'll move from the world of theoretical problems to *real* problems pretty quickly.

 

[cyberjock]

Yeah. If memory serves me right SSLv3 is supported and enabled (of course it's not the default). But if you are in a position where POODLE is a concern you've already failed "basic security 101" that you have much bigger problems. You could easily solve this problem by simply disabling SSLv3 on your browser. If it can't negotiate SSLv3 from your web browser you definitely can't be pwned by POODLE.

 

[iamanthony]

Of course, all good responses.

1. @cyberjock SSLv3 is disabled on all of my browsers, but passing "basic security 101" would require it be disabled on the web server all together (IMHO). Disabling it on the server would be really useful for environments with many users logging in to the web UI and there is no centralized way to manage browser settings.
   
2. @anodos correct, you would have to be MITM, but what if you are on a large corporate network? What if your home network was compromised? What if you are accessing the web UI of your FreeNAS box across an unsecured network, like the internet?

 

[anodos]

Of course, all good responses.

1. @cyberjock SSLv3 is disabled on all of my browsers, but passing "basic security 101" would require it be disabled on the web server all together (IMHO). Disabling it on the server would be really useful for environments with many users logging in to the web UI and there is no centralized way to manage browser settings.
   
2. @anodos correct, you would have to be MITM, but what if you are on a large corporate network? What if your home network was compromised? What if you are accessing the web UI of your FreeNAS box across an unsecured network, like the internet?

1) You shouldn't have multiple users accessing the webgui. Webgui access = root access. Security 101 - don't give out root access willy-nilly. For the few that do have access, make sure they're browsers are appropriately configured (if you're concerned about this problem).
2) The webgui should not ever be exposed on the internet. If it is exposed, then this is itself a security problem larger than the 'poodle' vulnerability.

You are best served just using FreeNAS as it is and waiting for the 9.3 release. In 9.3 updates will be handled differently.

 

[iamanthony]

Dont give out root access willy nilly is right, but what about an environment with multiple administrators? If there is no need to expose the web gui, then I agree. Even if you needed remote access, a VPN would be a much better option. These are all excellent points, but I still think that from a security standpoint, disabling SSLv3 would be the best practice.

 

[cyberjock]

To be honest, once the server is setup and running there shouldn't be a significant need to log into the server. This year I've probably logged in maybe 10 times for my own benefit. Of those times most of them have been for jail creation and FreeNAS updates.