Poodlebleed SSL3 Vulnerability

Poodlebleed SSL3 Vulnerability

Postby HVGS » Sun Oct 19, 2014 2:49 am

Hi, any chance of an update to address this vulnerability ?

Tick box to disable SSLV3 would be enough ?

http://poodlebleed.com/


Thanks
Phil
HVGS
 
Posts: 33
Joined: Wed Jan 30, 2008 6:02 am

Re: Poodlebleed SSL3 Vulnerability

Postby Code Crafters » Sun Oct 19, 2014 7:44 am

There is already an option called "Use SSL Version 2/3 Mode With TLS" in each listening service. If you leave this unticked which is the default then there is no vulnerability as TLS connections won't try SSL 2 or 3.
Code Crafters
 
Posts: 943
Joined: Mon Sep 10, 2007 2:35 pm

Re: Poodlebleed SSL3 Vulnerability

Postby HVGS » Sun Oct 19, 2014 9:27 am

Hi Chris,

This seems to be unavailable option for the webmail service.

It's greyed out and the help file says

Use SSL Version 2/3 Mode With TLS - This option is not available for WebMail.

Phil
HVGS
 
Posts: 33
Joined: Wed Jan 30, 2008 6:02 am

Re: Poodlebleed SSL3 Vulnerability

Postby Code Crafters » Sun Oct 19, 2014 12:28 pm

That's because WebMail can only use implicit SSL so SSL negotiations are done on connect rather than after the connection as with explicit SSL. Only explicit SSL connections have the "Try SSL if TLS fails" option so WebMail is not affected by this vulnerability at all.
Code Crafters
 
Posts: 943
Joined: Mon Sep 10, 2007 2:35 pm

Re: Poodlebleed SSL3 Vulnerability

Postby HVGS » Sun Oct 19, 2014 9:22 pm

OK thanks

My concern was based on the results from SSL test sites

https://www.ssllabs.com/ssltest/

"This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C"

and

http://poodlebleed.com/

"The Server at ************** has SSL 3.0 enabled. Clients connecting with browsers that support SSL 3.0 and HTTPS fall back will not be secure."
HVGS
 
Posts: 33
Joined: Wed Jan 30, 2008 6:02 am

Re: Poodlebleed SSL3 Vulnerability

Postby Code Crafters » Mon Oct 20, 2014 8:14 pm

I'll investigate this further and if needed add a new setting for all implicit SSL to only use TLS and not any versions of SSL. It used to be SSL 2 that was unsecure and SSL 3 was ok but a lot of years have passed and now it seems that possibly only TLS is deemed secure so an option to disable SSL 3 is probably needed if possible.
Code Crafters
 
Posts: 943
Joined: Mon Sep 10, 2007 2:35 pm


Return to General

Who is online

Users browsing this forum: No registered users and 20 guests

cron