Lately, we have seen some really bad vulnerabilities in regards to SSL (Heartbleed) and Bash (later dubbed “Shellshock”), along with some slightly “lighter” linux/open source ones.
In September of this year, Google first discovered a fallback attack for SSL v3.0, and they wrote published a paper on it: https://www.openssl.org/~bodo/ssl-poodle.pdf.
Today, it was officially confirmed that SSL version 3.0 is no longer secure, and thus, it is no longer recommended in client software (ex: web browsers, mail clients, etc…) or server software (ex: apache, postfix, etc…).
This was dubbed the “POODLE” vulnerability, and given CVE-2014-3566
A “POODLE attack” can be used against any website or browser that still supports SSLv3.
Browsers and websites need to turn off SSLv3 as soon as possible in order to avoid compromising sensitive/private information. Even though a really small percent of servers/browsers are vulnerable (mozilla estimates 0.3% of the internet), that is quite large in the total number of users.
Poodletest was first mentioned to me by Curtis Wilcox.
Chris La Nauze mentioned another website which seems great (if not even better than dshield’s):
Until an official patch comes out (this is a design bug, not a software bug – it will most likely be just end-of-lifed), you can turn off SSLv3 support for these major products:
How can I check if my server is Vulnerable?
For checking your server, use: https://www.poodlescan.com
If you want something a bit more “trusted”, you can review the source code and download this: https://github.com/0xICF/POODLEScanner
You can install and run this yourself very easily (Ubuntu based systems):
apt-get install python3-ipy
Alternatively, you can also just download “python3-pip” and then install it via “pip3 install IPy”.
At last, you can even use some of the more commonly available tools:
One way is via nmap: http://mariuszs.github.io/blog/2014/sslv3-poodle-check.html
Essentially, you are running:
nmap -p 443 --script +ssl-enum-ciphers YOUR.SERVER.ADDRESS.COM
The other way via OpenSSL directly which is even simpler (and guaranteed to be available on any linux system):
timeout 2 openssl s_client -connect $1:443 < /dev/null 2>/dev/null | timeout 2 openssl x509 -text -in /dev/stdin | grep "Signature Algorithm" | uniq
In firefox, go to “about:config“, find security.tls.version.min and set the value to 1. Then restart your browser to drop any open SSL connections.
Patching in Internet Explorer (IE):
Go to: Setting -> Internet Options -> Advanced Tab -> Uncheck “SSLv3” under “Security”
Edit your ssl.conf (or equivalent virtual config) and add: SSLProtocol All -SSLv2 -SSLv3
Then restart apache: sudo service apache2 restart
Edit your config and add: ssl_protocols: TLSv1 TLSv1.1 TLSv1.2;
Then restart nginx: sudo service nginx restart
Edit your main.cf config and change: smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
Then restart postfix: sudo service postfix restart
Open regedit and go to:
Under Protocols you will probably have a folder called “SSL 2.0“. Please create a “SSL 3.0” folder if you don’t have one already. Under the SSL 3.0 folder, please create a DWORD value called “Enabled” with value “0“. At this point, you have to reboot the server.
Another way to solve this problem, per Google is to “use SSL implementations that take advantage of the TLS_FALLBACK_SCSV feature. This feature notifies the other side that you first tried the stronger cipher. This way, they can reject the downgrade attempt that may have been introduced by a MitM attack.”.