Page 1 of 1
Poodlebleed SSL3 Vulnerability
Posted:
Sun Oct 19, 2014 2:49 amby HVGS
Hi, any chance of an update to address this vulnerability ?
Tick box to disable SSLV3 would be enough ?
http://poodlebleed.com/Thanks
Phil
Re: Poodlebleed SSL3 Vulnerability
Posted:
Sun Oct 19, 2014 7:44 amby Code Crafters
There is already an option called "Use SSL Version 2/3 Mode With TLS" in each listening service. If you leave this unticked which is the default then there is no vulnerability as TLS connections won't try SSL 2 or 3.
Re: Poodlebleed SSL3 Vulnerability
Posted:
Sun Oct 19, 2014 9:27 amby HVGS
Hi Chris,
This seems to be unavailable option for the webmail service.
It's greyed out and the help file says
Use SSL Version 2/3 Mode With TLS - This option is not available for WebMail.
Phil
Re: Poodlebleed SSL3 Vulnerability
Posted:
Sun Oct 19, 2014 12:28 pmby Code Crafters
That's because WebMail can only use implicit SSL so SSL negotiations are done on connect rather than after the connection as with explicit SSL. Only explicit SSL connections have the "Try SSL if TLS fails" option so WebMail is not affected by this vulnerability at all.
Re: Poodlebleed SSL3 Vulnerability
Posted:
Sun Oct 19, 2014 9:22 pmby HVGS
OK thanks
My concern was based on the results from SSL test sites
https://www.ssllabs.com/ssltest/"This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C"
and
http://poodlebleed.com/"The Server at ************** has SSL 3.0 enabled. Clients connecting with browsers that support SSL 3.0 and HTTPS fall back will not be secure."
Re: Poodlebleed SSL3 Vulnerability
Posted:
Mon Oct 20, 2014 8:14 pmby Code Crafters
I'll investigate this further and if needed add a new setting for all implicit SSL to only use TLS and not any versions of SSL. It used to be SSL 2 that was unsecure and SSL 3 was ok but a lot of years have passed and now it seems that possibly only TLS is deemed secure so an option to disable SSL 3 is probably needed if possible.