POODLE: SSLv3.0 vulnerability

What is POODLE ?

POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack.

How to Fix ?

At present there is no working patch for this bug . So that Admin needs to manually disable SSLv3 on their servers .

Disable SSLv3 – Apache

1) Add ”   SSLProtocol All -SSLv2 -SSLv3  ”  to httpd.conf

2) Restart apache service .

Disable SSLv3 – Nginx

1) Add   ” ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ”  to nginx.conf under ssl section .

2) Restart nginx service .

Disable SSLv3 – PostFix

1) change smtpd_tls_mandatory_protocols to ”  smtpd_tls_mandatory_protocols =!SSLv2,!SSLv3 ”

2) Restart postfix server .

Disable SSLv3 – Weblogic

Start weblogic with the following JVM option   ” -Dweblogic.security.SSL.protocolVersion=TLS1  ”

How to Diagnose ?

# openssl s_client -connect localhost:443 -ssl3

==> If you have already disabled sslv3 , then the output will be as follows

20888:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1053:SSL alert number 40
20888:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:

==> If you are not disabled the sslv3 and you are getting the following output , then your server is vulnerable to POODLE  !!.

depth=0 /C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/[email protected]
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/[email protected]
verify return:1

Certificate chain
 0 s:/C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/[email protected]
   i:/C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/[email protected]

Reference :-