Tuesday, January 20, 2015
POODLE: SSLv3.0 vulnerability
POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack.
Currently there is no working patch for this bug. we need to manually disable SSLv3 on the servers .
For disabling SSLv3 in httpd please follow the below steps
* Add ” SSLProtocol All -SSLv2 -SSLv3 ” to httpd.conf
* Restart apache service .
/etc/init.d/httpd restart
For disabling SSLv3 in nginx please follow the below steps
* Add ” ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ” to nginx.conf under ssl section .
* Restart nginx service .
/etc/init.d/nginx restart
For disabling SSLv3 in postfix please follow the below steps
* change smtpd_tls_mandatory_protocols to ” smtpd_tls_mandatory_protocols =!SSLv2,!SSLv3 ”
* Restart postfix server .
/etc/init.d/postfix restart
For disabling SSLv3 in weblogic please follow the below steps
* Start weblogic with the following JVM option ” -Dweblogic.security.SSL.protocolVersion=TLS1 ”
How to Diagnose the issue
# openssl s_client -connect localhost:443 -ssl3
==> If you have already disabled sslv3 , then the output will be as follows
CONNECTED(00000003)
20888:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1053:SSL alert number 40
20888:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:
==> If you are not disabled the sslv3 and you are getting the following output , then your server is vulnerable to POODLE !!.
CONNECTED(00000003)
depth=0 /C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/emailAddress=info@example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/emailAddress=info@example.com
verify return:1
—
Certificate chain
0 s:/C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/emailAddress=info@example.com
i:/C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/emailAddress=info@example.com
Reference :-
https://www.openssl.org/~bodo/ssl-poodle.pdf
http://docs.oracle.com/cd/E13222_01/wls/docs92/secmanage/ssl.html
http://saralinux.blogspot.in/
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment