sunhux
asked on
Patch & workaround for SSLv3 Poodle vulnerability
I refer to the vulnerability described below:
· http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566
· https://www.openssl.org/~bodo/ssl-poodle.pdf
· http://googleonlinesecurity.blogspot.sg/2014/10/this-poodle-bites-exploiting-ssl-30.html
· http://en.wikipedia.org/wiki/Padding_oracle_attack
· http://mashable.com/2014/10/14/google-design-vulnerability-ssl-3-0/
· http://thenextweb.com/google/2014/10/15/web-encryption-vulnerability-opens-encrypted-data-hackers/
Q1:
Can I disable SSLv3 in browser & web servers (IIS & Apache) using method/command given in
EE link below & if so pls provide the exact steps/commands:
https://www.experts-exchange.com/questions/28415542/SSL-Registry-Change-Question.html
Q2:
I recall for Heartbleed vulnerability, MS came up with workarounds (in IE & some registry) & a couple
of weeks later, released a patch for it. Is there similar registry workaround (perhaps this was asked
in Q1 above) & will MS be releasing a patch for it?
Any RHEL 5.x/6.x & Solaris x86 Ver 10 patches?
Q3:
If SSLv3 is disabled, how will web service work then? I recall 1-2 years back, we can disable SSLv2
& one EE expert told me the browser will auto-detect & move on to use SSLv3 if it detects SSLv2
is disabled? So if both SSLv2 & v3 are disabled, is there something else it will move to?
Q4:
Will deploying host-based IPS (say TrendMicro) more likely to break the app/service (esp web service)
compared to disabling SSLv3 ?
Q5:
Is SSLv3 with TLS1.0, TLS1.1 and TLS1.2 ciphers in F5 loadbalancer also affected by this vulnerability?
Q6:
If we disable SSLv3 in F5 loadbalancer, what's the other alternative the F5 will use? Assume we
rule out SSLv2 will be used.
· http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566
· https://www.openssl.org/~bodo/ssl-poodle.pdf
· http://googleonlinesecurity.blogspot.sg/2014/10/this-poodle-bites-exploiting-ssl-30.html
· http://en.wikipedia.org/wiki/Padding_oracle_attack
· http://mashable.com/2014/10/14/google-design-vulnerability-ssl-3-0/
· http://thenextweb.com/google/2014/10/15/web-encryption-vulnerability-opens-encrypted-data-hackers/
Q1:
Can I disable SSLv3 in browser & web servers (IIS & Apache) using method/command given in
EE link below & if so pls provide the exact steps/commands:
https://www.experts-exchange.com/questions/28415542/SSL-Registry-Change-Question.html
Q2:
I recall for Heartbleed vulnerability, MS came up with workarounds (in IE & some registry) & a couple
of weeks later, released a patch for it. Is there similar registry workaround (perhaps this was asked
in Q1 above) & will MS be releasing a patch for it?
Any RHEL 5.x/6.x & Solaris x86 Ver 10 patches?
Q3:
If SSLv3 is disabled, how will web service work then? I recall 1-2 years back, we can disable SSLv2
& one EE expert told me the browser will auto-detect & move on to use SSLv3 if it detects SSLv2
is disabled? So if both SSLv2 & v3 are disabled, is there something else it will move to?
Q4:
Will deploying host-based IPS (say TrendMicro) more likely to break the app/service (esp web service)
compared to disabling SSLv3 ?
Q5:
Is SSLv3 with TLS1.0, TLS1.1 and TLS1.2 ciphers in F5 loadbalancer also affected by this vulnerability?
Q6:
If we disable SSLv3 in F5 loadbalancer, what's the other alternative the F5 will use? Assume we
rule out SSLv2 will be used.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I do encourage you check on the openssl vulnerability on top of the POODLE on those released in 15th October 2014 e.g. CVE-2014-3513, CVE-2014-3567 and CVE-2014-3568
https://www.openssl.org/news/vulnerabilities.html
https://www.openssl.org/news/vulnerabilities.html
ASKER
> The security advisory from OpenSSL.org recommended the usage of
> TLS_FALLBACK_SCSV mechanism to web servers, to ensure that SSL 3.0
> is used only when necessary (when a legacy implementation is
> involved). This way, attackers can no longer force a protocol
> downgrade.
I'm interested to know the steps on how to implement the above for
IIS & Apache. Can share the details?
> TLS_FALLBACK_SCSV mechanism to web servers, to ensure that SSL 3.0
> is used only when necessary (when a legacy implementation is
> involved). This way, attackers can no longer force a protocol
> downgrade.
I'm interested to know the steps on how to implement the above for
IIS & Apache. Can share the details?
ASKER
Oh, I forgot that Openssl is only for Apache.
So can I safely say that IIS (that uses say Netrust SSL) is not affected
by this Poodle vulnerability?
So can I safely say that IIS (that uses say Netrust SSL) is not affected
by this Poodle vulnerability?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
> The security advisory from OpenSSL.org recommended the usage of
> TLS_FALLBACK_SCSV mechanism to web servers, to ensure that SSL 3.0
> is used only when necessary (when a legacy implementation is
> involved). This way, attackers can no longer force a protocol
> downgrade.
Thanks Gary for sharing the change needed to implement the above for
Apache.
Thanks Btan, are the steps you shared for IIS also implement the above or
it's just disabling SSLv2 & SSLv3 completely ie with no option to support
a legacy SSLv3? Just wanted to reduce risk of breaking apps
> TLS_FALLBACK_SCSV mechanism to web servers, to ensure that SSL 3.0
> is used only when necessary (when a legacy implementation is
> involved). This way, attackers can no longer force a protocol
> downgrade.
Thanks Gary for sharing the change needed to implement the above for
Apache.
Thanks Btan, are the steps you shared for IIS also implement the above or
it's just disabling SSLv2 & SSLv3 completely ie with no option to support
a legacy SSLv3? Just wanted to reduce risk of breaking apps
TLS has been around for 15 years, it's highly unlikely you have anything relying purely on SSL v3 but instead using TLS.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I was under the impression there is no fix, the linux updates that are happening are more a disabling of it as fallback protocol - and you should manually disable it yourself on all devices that may use it