CVE-2014-3566 Poodle SSL v3 Vulnerability

Document ID : KB000028471
Last Modified Date : 14/02/2018
Show Technical Document Details

1. Edit the $NH_HOME/web/httpd/httpd.tpl and add the directive:

 SSLProtocol ALL -SSLv2 -SSLv3

 Between the "# Custom Protect Section" and # End Custom Protect Section
 comments.
 These comments must remain intact. Any entries between these comments are
 added to the httpd.conf file when it is regenerated.

 Example:
 # Custom Protect Section
 SSLProtocol ALL -SSLv2 -SSLv3
 # End Custom Protect Section

2. Regenerate the httpd.conf:

 UNIX/LINUX Instructions:

 Perform the following logged into the eHealth server:

 1. As $NH_USER, stop the httpd daemon:

  nhHttpd stop

 2. Go to the directory: $NH_HOME/web/httpd

 3. Rename your file httpd.conf to httpd.conf.old

 4. In 6.0 SP 02 and later, as the eHealth user, issue the commands:

  cd $NH_HOME/bin

  nhHttpdCfg -user <$NH_USER> -grp <eHealth_user_group> -nhDir $NH_HOME -protect -outFile $NH_HOME/web/httpd/conf/httpd.conf

 Additional notes:
 - $NH_USER is the name of the eHealth user on the target server.

  To find the NH_USER run: env | grep NH_USER

 - The eHealth_user_group is the Unix group to which the eHealth user account belongs.

 5. As $NH_USER, restart the httpd daemon as:

  nhHttpd start

 6. Open a Web browser and verify that the eHealth Web interface is working properly.

 

 Windows Instructions:

 1. Login as the eHealth user

 2. Rename the %NH_HOME%/web/httpd/httpd.conf to httpd.conf.old

 3. For 6.0 SP 02 and later: From a command prompt in the %NH_HOME%\bin directory, run the following command:

  nhHttpdCfg -user <$NH_USER> -grp Administrators -nhDir %NH_HOME% -protect -outFile %NH_HOME%\web\httpd\conf\httpd.conf
   
   Additional notes:
   - $NH_USER is the name of the eHealth user on the target server.
    To find the NH_USER run: env | grep NH_USER
      

 4. Select Start -> Settings -> Control Panel -> Services (Alternatively run services.msc from the run window)

 5. Select eHealth httpd<version> (ex: eHealth httpd63); then click Stop

 6. Select eHealth httpd<version> (ex: eHealth httpd63); then click Start

 7. Click Close

 8. Open a Web browser and verify if the eHealth Web interface is working properly

3. If you choose to drop eHealth back to http mode you will need to remove this change by editing $NH_HOME/httpd.tpl and removing the line you inserted and then regenerating httpd.conf once more.  Otherwise Apache will not start as it will no longer recognize the directive

4. Also note that SSL 3.0 must be disabled on client too. It means that SSL must be disabled on browsers.

 Internet Explorer:
  1. Open "Internet Options" - "Advanced" - "Security".
  2. Uncheck "SSL 3.0" option. Also check that "TLS 1.0", "TLS 1.1" and "TLS 1.2" options are enabled.

 Firefox:
  1. Type "about:config" in address line.
  2. Find "security.tls.version.min" option.
  3. Set its value to "1".