Join the community today
Become a Member

SSL POODLE attacks on SSLv3 vulnerability

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, Oct 15, 2014.

  1. eva2000

    eva2000 Administrator Staff Member

    47,202
    10,670
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,575
    Local Time:
    1:30 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Last edited: Oct 16, 2014
  2. eva2000

    eva2000 Administrator Staff Member

    47,202
    10,670
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,575
    Local Time:
    1:30 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Cloudflare disables SSLv3 across their network SSLv3 Support Disabled By Default Due to POODLE Vulnerability

     
  3. eva2000

    eva2000 Administrator Staff Member

    47,202
    10,670
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,575
    Local Time:
    1:30 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    SSLLabs test has added Poodle advisory check message which seems to check for TLS_FALLBACK_SCSV support Qualys SSL Labs - Projects / SSL Server Test

    for forums community.centminmod.com RSA 2048 bit with Cloudflare RC4 Kill patch + OpenSSL 1.0.2 beta4 + chacha20_poly1305 cipher support + (will implement OpenSSL 1.0.2 patch for TLS_FALLBACK_SCSV later today although not necessary as I have SSLv3 disabled)

    ssllabs_poodle_check_00.png
    ssllabs_poodle_check_03.png

    for sslspdy.com which uses ECC 256 bit certificates with Cloudflare RC4 Kill patch + OpenSSL 1.0.2 beta4 + chacha20_poly1305 cipher support + OpenSSL 1.0.2 patch for TLS_FALLBACK_SCSV

    ssllabs_poodle_check_sslspdycom_00.png
    ssllabs_poodle_check_sslspdycom_03.png
     
    Last edited: Oct 16, 2014
  4. eva2000

    eva2000 Administrator Staff Member

    47,202
    10,670
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,575
    Local Time:
    1:30 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
  5. rdan

    rdan Well-Known Member

    5,074
    1,251
    113
    May 25, 2014
    Ratings:
    +1,903
    Local Time:
    11:30 AM
    Mainline
    10.2
    I just used Florens openssl repo :)
     
  6. rdan

    rdan Well-Known Member

    5,074
    1,251
    113
    May 25, 2014
    Ratings:
    +1,903
    Local Time:
    11:30 AM
    Mainline
    10.2
  7. eva2000

    eva2000 Administrator Staff Member

    47,202
    10,670
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,575
    Local Time:
    1:30 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
  8. rdan

    rdan Well-Known Member

    5,074
    1,251
    113
    May 25, 2014
    Ratings:
    +1,903
    Local Time:
    11:30 AM
    Mainline
    10.2
    Bye bye XP users :(
     
  9. eva2000

    eva2000 Administrator Staff Member

    47,202
    10,670
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,575
    Local Time:
    1:30 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    yeah only ~0.0032% for me :D
     
  10. rdan

    rdan Well-Known Member

    5,074
    1,251
    113
    May 25, 2014
    Ratings:
    +1,903
    Local Time:
    11:30 AM
    Mainline
    10.2
    Woh!
    Still wanting to remove ssl/https completely.
    I hope there's a solution?
     
  11. eva2000

    eva2000 Administrator Staff Member

    47,202
    10,670
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,575
    Local Time:
    1:30 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    you going back to non-https ?
     
  12. rdan

    rdan Well-Known Member

    5,074
    1,251
    113
    May 25, 2014
    Ratings:
    +1,903
    Local Time:
    11:30 AM
    Mainline
    10.2
    Yes if there's a solution?
     
  13. rdan

    rdan Well-Known Member

    5,074
    1,251
    113
    May 25, 2014
    Ratings:
    +1,903
    Local Time:
    11:30 AM
    Mainline
    10.2
    I mean for all my old visitors to force back also to http without redirect loop problem.
     
  14. eva2000

    eva2000 Administrator Staff Member

    47,202
    10,670
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,575
    Local Time:
    1:30 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    AFAIK, you'd have to suffer through that - well your visitors would
     
  15. eva2000

    eva2000 Administrator Staff Member

    47,202
    10,670
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,575
    Local Time:
    1:30 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Redhat OpenSSL updates for TLS_FALLBACK_SCSV support available now Red Hat Customer Portal. Guess waiting on CentOS equivalent releases

    For Redhat 6 64bit
    Code:
    x86_64:
    openssl-1.0.1e-30.el6_6.2.i686.rpm        MD5: 278926b7afa624194b03a79c81379dcd
    SHA-256: e85e84237f069e64333603fbed965b4d0b034c2933c9160eaf4b605d8c3ccd16
    openssl-1.0.1e-30.el6_6.2.x86_64.rpm        MD5: 77288f1243c4bf199fc4b6f744f13c89
    SHA-256: 904b7d8367de9f94c1878720e634a226ea3c1f67067af6a939dd05f68e7ab1ac
    openssl-debuginfo-1.0.1e-30.el6_6.2.i686.rpm        MD5: a5c62586bfddcfe2d18bf4910685d16a
    SHA-256: 5ad1eb82ca9b17be5cd78e39e1e3ec8048e10ecc2bf9b009421680f5bb439064
    openssl-debuginfo-1.0.1e-30.el6_6.2.x86_64.rpm        MD5: 70bd38e4cdbb698e355c9dbbcd1091f1
    SHA-256: be01e3eb8e1cfdc95c91f7d634c6b76a119c3bc1c74e02affccc67f66d518735
    openssl-devel-1.0.1e-30.el6_6.2.i686.rpm        MD5: 1e968a7dabf5d30fa6fad4b8451eff21
    SHA-256: 32f1611b3c8934fc10ac3ed87e57847bdaa4f4aebb21ed25d3b6c005722d1bda
    openssl-devel-1.0.1e-30.el6_6.2.x86_64.rpm        MD5: 5aa28f964c7ae6281e16887edbdcd0c8
    SHA-256: dcbbbd1b21733e3e3168897120bfc1674c051c4efe7a621d5c5dece211169207
    openssl-perl-1.0.1e-30.el6_6.2.x86_64.rpm        MD5: 208235778b4409742d1468053e6d5dd7
    SHA-256: f14e04f00a6ac0ee2583094cb42c191016fe93aa628360d71063ad245259e8b3
    openssl-static-1.0.1e-30.el6_6.2.x86_64.rpm        MD5: eb5521bb44c64ca8df7fe83effaa601b
    SHA-256: 31cbe1c6d6b434cddca35a1c27b707e5b0587c6101d1adf003b3c6f6bb1bb397
    For Redhat 7 64bit
    Code:
    x86_64:
    openssl-1.0.1e-34.el7_0.6.x86_64.rpm        MD5: 20f3de478123189454e8391c7e7f5fba
    SHA-256: 92bd4a7ca76174a626894947455f79d591bc400a5fb001fb38d604409a70f444
    openssl-debuginfo-1.0.1e-34.el7_0.6.i686.rpm        MD5: 705d3b4ec60c2ed413cfa50f0afeabba
    SHA-256: e1c4fc368277f02bc2d0657955a36403c1555ab38fa9d0c865c5383febc2b98a
    openssl-debuginfo-1.0.1e-34.el7_0.6.x86_64.rpm        MD5: 0f6e778f0130698ffd7acc0ad54e2547
    SHA-256: 260aeffe0edec7306702c983670b631dd6c7134c6121cabaf033a4c393f90d86
    openssl-devel-1.0.1e-34.el7_0.6.i686.rpm        MD5: 8adc48e8f6630c2aa91913c882e3e36d
    SHA-256: c7c811a6c9ceca5e474d223939f6f014613f59eac1c2cf1d910bc25faf1195a7
    openssl-devel-1.0.1e-34.el7_0.6.x86_64.rpm        MD5: ebfeeea65c5f39bb6ab81dd840c62533
    SHA-256: 74f6d0ccfaefdbb042a91fac6111a0ec9c431c0c97528ff147ad839b55fe19de
    openssl-libs-1.0.1e-34.el7_0.6.i686.rpm        MD5: faf2536727c4351f63e42f8a62fe6d5e
    SHA-256: 0e1307b329d32000b853b3614b5f1e6d88cb673fa5614d5e499802dc8967ca12
    openssl-libs-1.0.1e-34.el7_0.6.x86_64.rpm        MD5: a821939689a064a7136fa721a0a07962
    SHA-256: b3f6d8b2c201705829d104c0f3c7b03420dd937f3c191aaec6b53c6d43118f25
    openssl-perl-1.0.1e-34.el7_0.6.x86_64.rpm        MD5: 3b693add6dd2f2ab323ba1cf3e93a914
    SHA-256: f8a5d90f16fa82f10f2c368ce7111a111006d31a6e43cb5e018055d62d825ea7
    openssl-static-1.0.1e-34.el7_0.6.i686.rpm        MD5: 58f3806d1649f7a2a934ebe774818fe7
    SHA-256: 9c4c823b0ced1577b2775b63365fd096c1ecb70e9ee837d5b3a5089870349d48
    openssl-static-1.0.1e-34.el7_0.6.x86_64.rpm        MD5: e7a9eeae6cee59e355411aaa02a6b07d
    SHA-256: 3ed6dda62bad80d31b28ae4b159ed3fe4b98ea2bcbdc2caef9f6ea8d56391b26
     
  16. eva2000

    eva2000 Administrator Staff Member

    47,202
    10,670
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,575
    Local Time:
    1:30 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
  17. eva2000

    eva2000 Administrator Staff Member

    47,202
    10,670
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,575
    Local Time:
    1:30 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    updates for CentOS are upon us

    CentOS 6.5 32bit
    Code:
    yum clean all -q; yum list updates -q
    Updated Packages
    openssl.i686                                                                 1.0.1e-30.el6_5.2                                                           updates
    openssl-devel.i686                                                           1.0.1e-30.el6_5.2                                                           updates
    CentOS 7.0 64bit
    Code:
    yum clean all -q; yum list updates -q
    Updated Packages
    openssl.x86_64                                                               1:1.0.1e-34.el7_0.6                                                         updates
    openssl-devel.x86_64                                                         1:1.0.1e-34.el7_0.6                                                         updates
    openssl-libs.x86_64                                                          1:1.0.1e-34.el7_0.6                                                         updates
    For CentOS 7
    Code:
    rpm -qa -changelog openssl | head -n5
    * Wed Oct 15 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-34.6
    - fix CVE-2014-3567 - memory leak when handling session tickets
    - fix CVE-2014-3513 - memory leak in srtp support
    - add support for fallback SCSV to partially mitigate CVE-2014-3566
      (padding attack on SSL3)
    
    For CentOS 6
    Code:
    rpm -qa -changelog openssl | head -n5
    * Wed Oct 15 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-30.2
    - fix CVE-2014-3567 - memory leak when handling session tickets
    - fix CVE-2014-3513 - memory leak in srtp support
    - add support for fallback SCSV to partially mitigate CVE-2014-3566
      (padding attack on SSL3)
    
     
    Last edited: Oct 17, 2014
  18. Guilherme Jaccoud

    Guilherme Jaccoud Member

    63
    30
    18
    May 29, 2014
    Ratings:
    +30
    Local Time:
    12:30 AM
    All my websites are behind CloudFlare. Does it mean I am protected?
     
  19. rdan

    rdan Well-Known Member

    5,074
    1,251
    113
    May 25, 2014
    Ratings:
    +1,903
    Local Time:
    11:30 AM
    Mainline
    10.2
    Yes.
     
  20. eva2000

    eva2000 Administrator Staff Member

    47,202
    10,670
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,575
    Local Time:
    1:30 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    yeah but still worth updating on your server end :)

    not the best way to die - funny google heading

    google_poo.png