Koozali.org: home of the SME Server

"Poodle" vulnerability with SSL v. 3

Offline holck

  • ****
  • 317
  • +1/-0
"Poodle" vulnerability with SSL v. 3
« on: October 16, 2014, 02:01:48 PM »
Redhat and others have drawn attention to a vulnerability ("Poodle") with SSL v. 3 https://access.redhat.com/articles/1232123, ans as far as I can see, this is relevant for SME server 8.x also. The proposed resolution is to disable httpd's use of SSL v. 3.

You can use this site to test if you are affected: https://ssltools.geotrust.com/checker/views/certCheck.jsp

Jesper, Denmark
......

Offline holck

  • ****
  • 317
  • +1/-0
Re: "Poodle" vulnerability with SSL v. 3
« Reply #1 on: October 16, 2014, 02:26:53 PM »
Here is a proposed resolution:

Create a new file
/etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/35SSL30SSLProtocol
with the following contents
Code: [Select]
{
    # Specify which SSL Protocols to accept for this context
    $OUT .= "SSLProtocol all -SSLv2 -SSLv3"
}

And then do
Code: [Select]
# /sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
# sv restart httpd-e-smith
......

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: "Poodle" vulnerability with SSL v. 3
« Reply #2 on: October 16, 2014, 02:42:28 PM »
Please open a bug so we can take a look at this
C'est la fin du monde !!! :lol:

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: "Poodle" vulnerability with SSL v. 3
« Reply #3 on: October 16, 2014, 03:18:05 PM »
Here is a proposed resolution:

Create a new file
/etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/35SSL30SSLProtocol
with the following contents
Code: [Select]
{
    # Specify which SSL Protocols to accept for this context
    $OUT .= "SSLProtocol all -SSLv2 -SSLv3"
}

And then do
Code: [Select]
# /sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
# sv restart httpd-e-smith

Testing at https://www.ssllabs.com/ssltest/index.html before and after applying holck's fix confirms that my 8.1 server was vulnerable to POODLE beforehand but is not afterwards.

guest22


Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: "Poodle" vulnerability with SSL v. 3
« Reply #5 on: October 17, 2014, 03:38:27 PM »
Here is a proposed resolution:

That's not a proposed resolution. That's a proposed temporary workaround. The resolution is to make a change in the software.

Thanks

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: "Poodle" vulnerability with SSL v. 3
« Reply #6 on: October 17, 2014, 03:55:23 PM »
To put this issue in proportion, please read the "is only a poodle" section of this document:

http://www.theregister.co.uk/2014/10/16/poodle_analysis/