Poodlebleed SSL3 Vulnerability

[HVGS]

Hi, any chance of an update to address this vulnerability ?

Tick box to disable SSLV3 would be enough ?

http://poodlebleed.com/


Thanks
Phil

[Code Crafters]

There is already an option called "Use SSL Version 2/3 Mode With TLS" in each listening service. If you leave this unticked which is the default then there is no vulnerability as TLS connections won't try SSL 2 or 3.

[HVGS]

Hi Chris,

This seems to be unavailable option for the webmail service.

It's greyed out and the help file says

Use SSL Version 2/3 Mode With TLS - This option is not available for WebMail.

Phil

[Code Crafters]

That's because WebMail can only use implicit SSL so SSL negotiations are done on connect rather than after the connection as with explicit SSL. Only explicit SSL connections have the "Try SSL if TLS fails" option so WebMail is not affected by this vulnerability at all.

[HVGS]

OK thanks

My concern was based on the results from SSL test sites

https://www.ssllabs.com/ssltest/

"This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C"

and

http://poodlebleed.com/

"The Server at ************** has SSL 3.0 enabled. Clients connecting with browsers that support SSL 3.0 and HTTPS fall back will not be secure."

[Code Crafters]

I'll investigate this further and if needed add a new setting for all implicit SSL to only use TLS and not any versions of SSL. It used to be SSL 2 that was unsecure and SSL 3 was ok but a lot of years have passed and now it seems that possibly only TLS is deemed secure so an option to disable SSL 3 is probably needed if possible.