How to disable SSLv3

One-stop resource on how to effectively disable SSLv3 in major web browsers as well as in web, mail and other servers that may still be using it.

Web browsers

Chrome and Chromium
Firefox
Safari
Internet Explorer
Opera

Web servers

Apache
IIS
Nginx
Lighttpd

Mail servers

Sendmail
Postfix
Dovecot
Courier

Other

Java
NodeJS
OpenVPN
Puppet
HAProxy

Chrome and Chromium

From Chrome 39, fallback to SSLv3 is disabled by default. If you are using Chrome ≥ 40 you are safe, because Chrome/Chromium has disabled SSL 3.0 support completely.

Chrome and Chromium used to have a setting in preferences to let the user specify the preferred protocol, but people allegedly thought that SSL 3.0 was a higher version than TLS 1.0 and would mistakenly disable the latter (source: ImperialViolet).

So, until a Google Chrome or Chromium browser with SSLv3 disabled by default is announced, it is necessary to run Chrome/Chromium with a command line flag:

--ssl-version-min=tls1

If you want, you can modify the shortcut to make it run with the correct flag.

Windows

  1. Right click on the Google Chrome / Chromium shortcut on the Desktop, and click Properties.
  2. In Target, after the last character (a quote), add a space and then --ssl-version-min=tls1.
  3. Click OK, and confirm if it asks for administrator privileges.

Please note that this protects normal browser sessions initiated by clicking on the shortcut on the desktop, but not sessions started by clicking a link in a document or in an email from an external program. To protect every session, you have to set the ChromeHTML/shell/open/command registry value in HKEY_CLASSES_ROOT to "C:\Program Files\Google\Chrome\Application\chrome.exe" --ssl-version-min=tls1 -- "%1" (make sure the path to chrome.exe is correct for your system). — thanks to Dr. Thomas Kunst

Linux / Unix

The process for changing the symbolic links on your desktop and in the application menu vary between different desktop environments.

For instance, in Ubuntu, you have to edit the /usr/share/applications/google-chrome.desktop file, and edit all lines starting with Exec= to include --ssl-version-min=tls1.

As an example, 

Exec=/usr/bin/google-chrome-stable %U
becomes 
Exec=/usr/bin/google-chrome-stable --ssl-version-min=tls1 %U

Then save the file and restart the browser. — thanks to gertvdijk on AskUbuntu

Chromium only: on the stable releases of Debian and Ubuntu, edit /etc/chromium-browser/default and add: 

CHROMIUM_FLAGS="--ssl-version-min=tls1"

On the unstable release of Debian, create /etc/chromium.d/disable-sslv3 with content: 

CHROMIUM_FLAGS="${CHROMIUM_FLAGS} -ssl-version-min=tls1"

thanks to David McBride

Mac OS X

Open AppleScript Editor (in /Applications/Utilities/), and type this in: 

do shell script "open '/Applications/Google Chrome.app' --args --ssl-version-min=tls1"

Save it as an Application, and add that application to the Dock.

Credits

This page was compiled by Michele Spagnuolo.