FollowWhat is POODLE ?
POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack.
How to Fix ?
At present there is no working patch for this bug . So that Admin needs to manually disable SSLv3 on their servers .
Disable SSLv3 – Apache
1) Add ” SSLProtocol All -SSLv2 -SSLv3 ” to httpd.conf
2) Restart apache service .
Disable SSLv3 – Nginx
1) Add ” ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ” to nginx.conf under ssl section .
2) Restart nginx service .
Disable SSLv3 – PostFix
1) change smtpd_tls_mandatory_protocols to ” smtpd_tls_mandatory_protocols =!SSLv2,!SSLv3 ”
2) Restart postfix server .
Disable SSLv3 – Weblogic
Start weblogic with the following JVM option ” -Dweblogic.security.SSL.protocolVersion=TLS1 ”
How to Diagnose ?
# openssl s_client -connect localhost:443 -ssl3
==> If you have already disabled sslv3 , then the output will be as follows
CONNECTED(00000003)
20888:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1053:SSL alert number 40
20888:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:
==> If you are not disabled the sslv3 and you are getting the following output , then your server is vulnerable to POODLE !!.
CONNECTED(00000003)
depth=0 /C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/[email protected]
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/[email protected]
verify return:1
—
Certificate chain
0 s:/C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/[email protected]
i:/C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/[email protected]
Reference :-
https://www.openssl.org/~bodo/ssl-poodle.pdf
http://docs.oracle.com/cd/E13222_01/wls/docs92/secmanage/ssl.html
Recent Comments