There are no patches since the POODLE vulnerability is a design flaw in the protocol itself and not an implementation bug. TLS is now the preferred encryption protocol.
Are you vulnerable?
Courtesy of this website, you can check if your website is available over SSLv3 with:
curl -v -3 -X HEAD https://www.raastech.comIf you are not vulnerable, you should not be able to connect, and your output should look something like this:
* SSL peer handshake failed, the server most likely requires a client certificate to connectIf you are vulnerable, you should see normal connection output, including the line:
* SSL 3.0 connection using SSL_NULL_WITH_NULL_NULL
Fix for Apache
1. Edit the ssl.conf and add the following:
SSLProtocol All -SSLv2 -SSLv3
Fix for WebLogic Server
1. Add the following to all the JVMs:
-Dweblogic.security.SSL.protocolVersion=TLS12. Remove the following line if found in the configuration:
Fix for Oracle HTTP Server (OHS)
1. Edit httpd.conf and edit the SSLProtocol directive as follows:
OLD: SSLProtocol ALL –SSLv2
NEW: SSLProtocol ALL –SSLv2 –SSLv32. Restart.