Search code examples
c#nancyself-hostingpoodle-attack

Can I turn off SSLv3.0 in NancyFX? (POODLE)

I'm running a web app with a C# backend on self-hosting NancyFX. I have tried googling, but I really can not find any information on whether it is possible to turn of SSL 3 in Nancy.

Is it possible, and if so, how?

Please feel free to ask for details if needed.

Also, sorry if this should have been posted on serverfault instead. I'm hoping for a code-related answer, because the app is installed locally at a few thousand clients and I would really prefer to not have to go in and do things manually on every single server...

Solution

  • I don't think its possible, but its probably better to disable it at Windows level anyway.

    https://technet.microsoft.com/en-us/library/security/3009008.aspx

    Taken from MS websote:

    Disable SSL 3.0 in Windows

    For Server Software

    You can disable support for the SSL 3.0 protocol on Windows by following these steps:

    1. Click Start, click Run, type regedt32 or type regedit, and then click OK.
    2. In Registry Editor, locate the following registry key: HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server Note If the complete registry key path does not exist, you can create it by expanding the available keys and using the New -> Key option from the Edit menu.
    3. On the Edit menu, click Add Value.
    4. In the Data Type list, click DWORD.
    5. In the Value Name box, type Enabled, and then click OK. Note If this value is present, double-click the value to edit its current value.
    6. In the Edit DWORD (32-bit) Value dialog box, type 0 .
    7. Click OK. Restart the computer.

    Note This workaround will disable SSL 3.0 for all server software installed on a system, including IIS.

    Note After applying this workaround, clients that rely only on SSL 3.0 will not be able to communicate with the server.

    For Client Software

    You can disable support for the SSL 3.0 protocol on Windows by following these steps:

    1. Click Start, click Run, type regedt32 or type regedit, and then click OK.
    2. In Registry Editor, locate the following registry key: HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client Note If the complete registry key path does not exist, you can create it by expanding the available keys and using the New -> Key option from the Edit menu.
    3. On the Edit menu, click Add Value.
    4. In the Data Type list, click DWORD.
    5. In the Value Name box, type Enabled, and then click OK. Note If this value is present, double-click the value to edit its current value.
    6. In the Edit DWORD (32-bit) Value dialog box, type 0 .
    7. Click OK. Restart the computer.

    Note This workaround will disable SSL 3.0 for all client software installed on a system.

    Note After applying this workaround, client applications on this machine will not be able to communicate with other servers that only support SSL 3.0.