Tuesday, January 20, 2015

POODLE: SSLv3.0 vulnerability




POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack.


Currently there is no working patch for this bug. we need to manually disable SSLv3 on the servers .

For disabling SSLv3 in httpd please follow the below steps

* Add ”   SSLProtocol All -SSLv2 -SSLv3  ”  to httpd.conf

* Restart apache service .

 /etc/init.d/httpd restart

For disabling SSLv3 in nginx please follow the below steps

* Add   ” ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ”  to nginx.conf under ssl section .

* Restart nginx service .

/etc/init.d/nginx restart

For disabling SSLv3 in postfix please follow the below steps

* change smtpd_tls_mandatory_protocols to ”  smtpd_tls_mandatory_protocols =!SSLv2,!SSLv3 ”

* Restart postfix server .

/etc/init.d/postfix restart

For disabling SSLv3 in weblogic please follow the below steps

* Start weblogic with the following JVM option   ” -Dweblogic.security.SSL.protocolVersion=TLS1  ”

How to Diagnose the issue

# openssl s_client -connect localhost:443 -ssl3

==> If you have already disabled sslv3 , then the output will be as follows

CONNECTED(00000003)
20888:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1053:SSL alert number 40
20888:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:

==> If you are not disabled the sslv3 and you are getting the following output , then your server is vulnerable to POODLE  !!.

CONNECTED(00000003)
depth=0 /C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/emailAddress=info@example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/emailAddress=info@example.com
verify return:1

Certificate chain
 0 s:/C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/emailAddress=info@example.com
   i:/C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/emailAddress=info@example.com

Reference :-

https://www.openssl.org/~bodo/ssl-poodle.pdf

http://docs.oracle.com/cd/E13222_01/wls/docs92/secmanage/ssl.html

http://saralinux.blogspot.in/
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)