1. Join the community forum today - register

Featured SSL POODLE attacks on SSLv3 vulnerability

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, Oct 15, 2014.

Previous Thread Next Thread
Loading...
Page 3 of 3
  1. Guilherme Jaccoud

    Guilherme Jaccoud Member

    Joined:
    May 29, 2014
    Messages:
    63
    Likes Received:
    30
    Ratings:
    +30 / 0
    Local Time:
    9:12 PM
    I did a yum update in all servers. Should I recompile Nginx with openssl_v1.0.1j ?
     
    Guilherme Jaccoud, Oct 17, 2014
    #41
  2. RoldanLT

    RoldanLT Premium Member Premium Member

    Joined:
    May 25, 2014
    Messages:
    2,914
    Likes Received:
    666
    Ratings:
    +789 / 0
    Local Time:
    7:12 AM
    Nginx Ver:
    1.9.3
    MariaDB Ver:
    10.0.21
    yes and also PHP.
     
    RoldanLT, Oct 17, 2014
    #42
  3. Guilherme Jaccoud

    Guilherme Jaccoud Member

    Joined:
    May 29, 2014
    Messages:
    63
    Likes Received:
    30
    Ratings:
    +30 / 0
    Local Time:
    9:12 PM
    Is there a definitive guide for .07 stable?
    To be honest I'm a little confused reading this topic, It's three pages of instructions and I don't know which one to follow.
     
    Guilherme Jaccoud, Oct 17, 2014
    #43
  4. RoldanLT

    RoldanLT Premium Member Premium Member

    Joined:
    May 25, 2014
    Messages:
    2,914
    Likes Received:
    666
    Ratings:
    +789 / 0
    Local Time:
    7:12 AM
    Nginx Ver:
    1.9.3
    MariaDB Ver:
    10.0.21
    RoldanLT, Oct 17, 2014
    #44
    • Like Like x 2
  5. Guilherme Jaccoud

    Guilherme Jaccoud Member

    Joined:
    May 29, 2014
    Messages:
    63
    Likes Received:
    30
    Ratings:
    +30 / 0
    Local Time:
    9:12 PM
    Great! Thanks a lot guys :)
    Just updated 5 servers against this evil dog. Also compiled NGINX with NAXSI, so will start to play with it soon…

    I did a simple script to patch my servers, if anyone is interested, here it is…

    Code (Text):
    #!/bin/bash

    # -------------------------------------------------------
    # System OpenSSL update
    # -------------------------------------------------------

    yum -y update

    # -------------------------------------------------------
    # NAXSI download
    # -------------------------------------------------------

    cd /svr-setup
    git clone https://github.com/nbs-system/naxsi

    # -------------------------------------------------------
    # Nginx recompile with NAXSI and OPENSSL v1.0.1j
    # -------------------------------------------------------

    cd /usr/local/src/centmin*mod

    sed -i "s|OPENSSL_VER=.*|OPENSSL_VER='1.0.1j'|g" centmin.sh
    sed -i "s|./configure|./configure --add-module=../naxsi/naxsi_src/|g" inc/nginx_configure.inc

    expect << EOF
    set timeout -1
    spawn ./centmin.sh
    expect "Enter option"
    send -- "4\r"
    expect "YUM install check to speed up upgrade time"
    send -- "n\r"
    expect "Would you like to continue"
    send -- "y\r"
    expect "Install which version of Nginx"
    send -- "1.7.6\r"
    expect "Only needed if you updated OpenSSL version"
    send -- "y\r"
    expect "Enter option"
    send -- "22\r"
    expect eof
    EOF

    nginx -V

    echo -e "\e[36m
    ----------------------------------------------------
    \e[0m  UPDATE COMPLETED! Yeahh :)  \e[36m
    ----------------------------------------------------
    \e[0m"

    shutdown -r now
     
    Guilherme Jaccoud, Oct 17, 2014
    #45
    • Like Like x 1
  6. eva2000

    eva2000 Administrator Staff Member

    Joined:
    May 24, 2014
    Messages:
    12,811
    Likes Received:
    3,345
    Ratings:
    +4,082 / 7
    Local Time:
    9:12 AM
    Nginx Ver:
    Nginx 1.9.9
    MariaDB Ver:
    MariaDB 5.5
    nice use of expect command :D
     
    eva2000, Oct 17, 2014
    #46
    • Like Like x 1
  7. eva2000

    eva2000 Administrator Staff Member

    Joined:
    May 24, 2014
    Messages:
    12,811
    Likes Received:
    3,345
    Ratings:
    +4,082 / 7
    Local Time:
    9:12 AM
    Nginx Ver:
    Nginx 1.9.9
    MariaDB Ver:
    MariaDB 5.5
    eva2000, Oct 17, 2014
    #47
  8. eva2000

    eva2000 Administrator Staff Member

    Joined:
    May 24, 2014
    Messages:
    12,811
    Likes Received:
    3,345
    Ratings:
    +4,082 / 7
    Local Time:
    9:12 AM
    Nginx Ver:
    Nginx 1.9.9
    MariaDB Ver:
    MariaDB 5.5
    Opera 25 with POODLE SSLv3 solutions including "anti poodle record splitting" Security changes in Opera 25; the poodle attacks - Opera Security - Opera Software

     
    eva2000, Oct 17, 2014
    #48
  9. eva2000

    eva2000 Administrator Staff Member

    Joined:
    May 24, 2014
    Messages:
    12,811
    Likes Received:
    3,345
    Ratings:
    +4,082 / 7
    Local Time:
    9:12 AM
    Nginx Ver:
    Nginx 1.9.9
    MariaDB Ver:
    MariaDB 5.5
    Wikipedia has more info POODLE - Wikipedia, the free encyclopedia

     
    eva2000, Oct 18, 2014
    #49
  10. eva2000

    eva2000 Administrator Staff Member

    Joined:
    May 24, 2014
    Messages:
    12,811
    Likes Received:
    3,345
    Ratings:
    +4,082 / 7
    Local Time:
    9:12 AM
    Nginx Ver:
    Nginx 1.9.9
    MariaDB Ver:
    MariaDB 5.5
    Instructions on how to Adjust SSL Cipher and SSL protocols for WHM/Cpanel to disable SSLv3 from protection against POODLE SSLv3 exploits

     
    eva2000, Oct 18, 2014
    #50
  11. eva2000

    eva2000 Administrator Staff Member

    Joined:
    May 24, 2014
    Messages:
    12,811
    Likes Received:
    3,345
    Ratings:
    +4,082 / 7
    Local Time:
    9:12 AM
    Nginx Ver:
    Nginx 1.9.9
    MariaDB Ver:
    MariaDB 5.5
    Interesting for Apache + WHM/Cpanel users who tried -SSLv3 in SSLCipherSuites and incorrectly disabled TLSv1 and TLSv1.1 the reason is OpenSSL flags TLSv1 ciphers with SSLv3 ssl - Why doesn't the TLS protocol work without the SSLv3 ciphersuites? - Information Security Stack Exchange Hence, need to disable SSLv3 from SSLProtocol level not SSLCipherSuites level as instructed by WHM/Cpanel

    checking listed ciphers in OpenSSL for TLSv1 show up as SSLv3
    Code (Text):

    openssl ciphers -v 'TLSv1' | sort
    ADH-AES128-SHA          SSLv3 Kx=DH       Au=None Enc=AES(128)  Mac=SHA1
    ADH-AES256-SHA          SSLv3 Kx=DH       Au=None Enc=AES(256)  Mac=SHA1
    ADH-CAMELLIA128-SHA     SSLv3 Kx=DH       Au=None Enc=Camellia(128) Mac=SHA1
    ADH-CAMELLIA256-SHA     SSLv3 Kx=DH       Au=None Enc=Camellia(256) Mac=SHA1
    ADH-DES-CBC3-SHA        SSLv3 Kx=DH       Au=None Enc=3DES(168) Mac=SHA1
    ADH-DES-CBC-SHA         SSLv3 Kx=DH       Au=None Enc=DES(56)   Mac=SHA1
    ADH-RC4-MD5             SSLv3 Kx=DH       Au=None Enc=RC4(128)  Mac=MD5
    ADH-SEED-SHA            SSLv3 Kx=DH       Au=None Enc=SEED(128) Mac=SHA1
    AECDH-AES128-SHA        SSLv3 Kx=ECDH     Au=None Enc=AES(128)  Mac=SHA1
    AECDH-AES256-SHA        SSLv3 Kx=ECDH     Au=None Enc=AES(256)  Mac=SHA1
    AECDH-DES-CBC3-SHA      SSLv3 Kx=ECDH     Au=None Enc=3DES(168) Mac=SHA1
    AECDH-NULL-SHA          SSLv3 Kx=ECDH     Au=None Enc=None      Mac=SHA1
    AECDH-RC4-SHA           SSLv3 Kx=ECDH     Au=None Enc=RC4(128)  Mac=SHA1
    AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
    AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
    CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1
    CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
    DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
    DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
    DH-DSS-AES128-SHA       SSLv3 Kx=DH/DSS   Au=DH   Enc=AES(128)  Mac=SHA1
    DH-DSS-AES256-SHA       SSLv3 Kx=DH/DSS   Au=DH   Enc=AES(256)  Mac=SHA1
    DH-DSS-CAMELLIA128-SHA  SSLv3 Kx=DH/DSS   Au=DH   Enc=Camellia(128) Mac=SHA1
    DH-DSS-CAMELLIA256-SHA  SSLv3 Kx=DH/DSS   Au=DH   Enc=Camellia(256) Mac=SHA1
    DH-DSS-DES-CBC3-SHA     SSLv3 Kx=DH/DSS   Au=DH   Enc=3DES(168) Mac=SHA1
    DH-DSS-DES-CBC-SHA      SSLv3 Kx=DH/DSS   Au=DH   Enc=DES(56)   Mac=SHA1
    DH-DSS-SEED-SHA         SSLv3 Kx=DH/DSS   Au=DH   Enc=SEED(128) Mac=SHA1
    DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
    DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
    DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(128) Mac=SHA1
    DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(256) Mac=SHA1
    DHE-DSS-RC4-SHA         SSLv3 Kx=DH       Au=DSS  Enc=RC4(128)  Mac=SHA1
    DHE-DSS-SEED-SHA        SSLv3 Kx=DH       Au=DSS  Enc=SEED(128) Mac=SHA1
    DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
    DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
    DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
    DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
    DHE-RSA-SEED-SHA        SSLv3 Kx=DH       Au=RSA  Enc=SEED(128) Mac=SHA1
    DH-RSA-AES128-SHA       SSLv3 Kx=DH/RSA   Au=DH   Enc=AES(128)  Mac=SHA1
    DH-RSA-AES256-SHA       SSLv3 Kx=DH/RSA   Au=DH   Enc=AES(256)  Mac=SHA1
    DH-RSA-CAMELLIA128-SHA  SSLv3 Kx=DH/RSA   Au=DH   Enc=Camellia(128) Mac=SHA1
    DH-RSA-CAMELLIA256-SHA  SSLv3 Kx=DH/RSA   Au=DH   Enc=Camellia(256) Mac=SHA1
    DH-RSA-DES-CBC3-SHA     SSLv3 Kx=DH/RSA   Au=DH   Enc=3DES(168) Mac=SHA1
    DH-RSA-DES-CBC-SHA      SSLv3 Kx=DH/RSA   Au=DH   Enc=DES(56)   Mac=SHA1
    DH-RSA-SEED-SHA         SSLv3 Kx=DH/RSA   Au=DH   Enc=SEED(128) Mac=SHA1
    ECDH-ECDSA-AES128-SHA   SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA1
    ECDH-ECDSA-AES256-SHA   SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA1
    ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168) Mac=SHA1
    ECDH-ECDSA-NULL-SHA     SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=None      Mac=SHA1
    ECDH-ECDSA-RC4-SHA      SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=RC4(128)  Mac=SHA1
    ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
    ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
    ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH     Au=ECDSA Enc=3DES(168) Mac=SHA1
    ECDHE-ECDSA-NULL-SHA    SSLv3 Kx=ECDH     Au=ECDSA Enc=None      Mac=SHA1
    ECDHE-ECDSA-RC4-SHA     SSLv3 Kx=ECDH     Au=ECDSA Enc=RC4(128)  Mac=SHA1
    ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
    ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
    ECDHE-RSA-DES-CBC3-SHA  SSLv3 Kx=ECDH     Au=RSA  Enc=3DES(168) Mac=SHA1
    ECDHE-RSA-NULL-SHA      SSLv3 Kx=ECDH     Au=RSA  Enc=None      Mac=SHA1
    ECDHE-RSA-RC4-SHA       SSLv3 Kx=ECDH     Au=RSA  Enc=RC4(128)  Mac=SHA1
    ECDH-RSA-AES128-SHA     SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA1
    ECDH-RSA-AES256-SHA     SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA1
    ECDH-RSA-DES-CBC3-SHA   SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1
    ECDH-RSA-NULL-SHA       SSLv3 Kx=ECDH/RSA Au=ECDH Enc=None      Mac=SHA1
    ECDH-RSA-RC4-SHA        SSLv3 Kx=ECDH/RSA Au=ECDH Enc=RC4(128)  Mac=SHA1
    EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
    EDH-DSS-DES-CBC-SHA     SSLv3 Kx=DH       Au=DSS  Enc=DES(56)   Mac=SHA1
    EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
    EDH-RSA-DES-CBC-SHA     SSLv3 Kx=DH       Au=RSA  Enc=DES(56)   Mac=SHA1
    EXP1024-DES-CBC-SHA     SSLv3 Kx=RSA(1024) Au=RSA  Enc=DES(56)   Mac=SHA1 export
    EXP1024-DHE-DSS-DES-CBC-SHA SSLv3 Kx=DH(1024) Au=DSS  Enc=DES(56)   Mac=SHA1 export
    EXP1024-DHE-DSS-RC4-SHA SSLv3 Kx=DH(1024) Au=DSS  Enc=RC4(56)   Mac=SHA1 export
    EXP1024-RC4-SHA         SSLv3 Kx=RSA(1024) Au=RSA  Enc=RC4(56)   Mac=SHA1 export
    EXP-ADH-DES-CBC-SHA     SSLv3 Kx=DH(512)  Au=None Enc=DES(40)   Mac=SHA1 export
    EXP-ADH-RC4-MD5         SSLv3 Kx=DH(512)  Au=None Enc=RC4(40)   Mac=MD5  export
    EXP-DES-CBC-SHA         SSLv3 Kx=RSA(512) Au=RSA  Enc=DES(40)   Mac=SHA1 export
    EXP-DH-DSS-DES-CBC-SHA  SSLv3 Kx=DH/DSS   Au=DH   Enc=DES(40)   Mac=SHA1 export
    EXP-DH-RSA-DES-CBC-SHA  SSLv3 Kx=DH/RSA   Au=DH   Enc=DES(40)   Mac=SHA1 export
    EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=DSS  Enc=DES(40)   Mac=SHA1 export
    EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=RSA  Enc=DES(40)   Mac=SHA1 export
    EXP-RC2-CBC-MD5         SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
    EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
    IDEA-CBC-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=SHA1
    NULL-MD5                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=MD5
    NULL-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=SHA1
    PSK-3DES-EDE-CBC-SHA    SSLv3 Kx=PSK      Au=PSK  Enc=3DES(168) Mac=SHA1
    PSK-AES128-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA1
    PSK-AES256-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA1
    PSK-RC4-SHA             SSLv3 Kx=PSK      Au=PSK  Enc=RC4(128)  Mac=SHA1
    RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
    RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
    SEED-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=SEED(128) Mac=SHA1
    SRP-3DES-EDE-CBC-SHA    SSLv3 Kx=SRP      Au=SRP  Enc=3DES(168) Mac=SHA1
    SRP-AES-128-CBC-SHA     SSLv3 Kx=SRP      Au=SRP  Enc=AES(128)  Mac=SHA1
    SRP-AES-256-CBC-SHA     SSLv3 Kx=SRP      Au=SRP  Enc=AES(256)  Mac=SHA1
    SRP-DSS-3DES-EDE-CBC-SHA SSLv3 Kx=SRP      Au=DSS  Enc=3DES(168) Mac=SHA1
    SRP-DSS-AES-128-CBC-SHA SSLv3 Kx=SRP      Au=DSS  Enc=AES(128)  Mac=SHA1
    SRP-DSS-AES-256-CBC-SHA SSLv3 Kx=SRP      Au=DSS  Enc=AES(256)  Mac=SHA1
    SRP-RSA-3DES-EDE-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=3DES(168) Mac=SHA1
    SRP-RSA-AES-128-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=AES(128)  Mac=SHA1
    SRP-RSA-AES-256-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=AES(256)  Mac=SHA1
     
    There's no TLSv1.1 at cipher suite level in OpenSSL, so that leaves TLSv1.2
    Code (Text):

    openssl ciphers -v 'TLSv1.1' | sort
    Error in cipher list
    3076691592:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1396:
     
    so in Apache / WHM/Cpanel using -SSLv3 at SSLCipherSuite level removes TLSv1 and TLS v1.1 leaving TLSv1.2 only.
    Code (Text):

    openssl ciphers -v 'TLSv1.2' | sort        
    ADH-AES128-GCM-SHA256   TLSv1.2 Kx=DH       Au=None Enc=AESGCM(128) Mac=AEAD
    ADH-AES128-SHA256       TLSv1.2 Kx=DH       Au=None Enc=AES(128)  Mac=SHA256
    ADH-AES256-GCM-SHA384   TLSv1.2 Kx=DH       Au=None Enc=AESGCM(256) Mac=AEAD
    ADH-AES256-SHA256       TLSv1.2 Kx=DH       Au=None Enc=AES(256)  Mac=SHA256
    ADH-CAMELLIA128-SHA256  TLSv1.2 Kx=DH       Au=None Enc=Camellia(128) Mac=SHA256
    ADH-CAMELLIA256-SHA256  TLSv1.2 Kx=DH       Au=None Enc=Camellia(256) Mac=SHA256
    AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
    AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
    AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
    AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
    CAMELLIA128-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA256
    CAMELLIA256-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA256
    DH-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AESGCM(128) Mac=AEAD
    DH-DSS-AES128-SHA256    TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AES(128)  Mac=SHA256
    DH-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AESGCM(256) Mac=AEAD
    DH-DSS-AES256-SHA256    TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AES(256)  Mac=SHA256
    DH-DSS-CAMELLIA128-SHA256 TLSv1.2 Kx=DH/DSS   Au=DH   Enc=Camellia(128) Mac=SHA256
    DH-DSS-CAMELLIA256-SHA256 TLSv1.2 Kx=DH/DSS   Au=DH   Enc=Camellia(256) Mac=SHA256
    DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(128) Mac=AEAD
    DHE-DSS-AES128-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA256
    DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256) Mac=AEAD
    DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256
    DHE-DSS-CAMELLIA128-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=Camellia(128) Mac=SHA256
    DHE-DSS-CAMELLIA256-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=Camellia(256) Mac=SHA256
    DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
    DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
    DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
    DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
    DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA256
    DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA256
    DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=ChaCha20(256) Mac=AEAD
    DH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AESGCM(128) Mac=AEAD
    DH-RSA-AES128-SHA256    TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AES(128)  Mac=SHA256
    DH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AESGCM(256) Mac=AEAD
    DH-RSA-AES256-SHA256    TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AES(256)  Mac=SHA256
    DH-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH/RSA   Au=DH   Enc=Camellia(128) Mac=SHA256
    DH-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH/RSA   Au=DH   Enc=Camellia(256) Mac=SHA256
    ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
    ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA256
    ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
    ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA384
    ECDH-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=Camellia(128) Mac=SHA256
    ECDH-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=Camellia(256) Mac=SHA384
    ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
    ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
    ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
    ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
    ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(128) Mac=SHA256
    ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(256) Mac=SHA384
    ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=ChaCha20(256) Mac=AEAD
    ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
    ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
    ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
    ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
    ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(128) Mac=SHA256
    ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(256) Mac=SHA384
    ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=ChaCha20(256) Mac=AEAD
    ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
    ECDH-RSA-AES128-SHA256  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA256
    ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
    ECDH-RSA-AES256-SHA384  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA384
    ECDH-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=Camellia(128) Mac=SHA256
    ECDH-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=Camellia(256) Mac=SHA384
    NULL-SHA256             TLSv1.2 Kx=RSA      Au=RSA  Enc=None      Mac=SHA256
     
    Last edited: Oct 18, 2014
    eva2000, Oct 18, 2014
    #51
  12. eva2000

    eva2000 Administrator Staff Member

    Joined:
    May 24, 2014
    Messages:
    12,811
    Likes Received:
    3,345
    Ratings:
    +4,082 / 7
    Local Time:
    9:12 AM
    Nginx Ver:
    Nginx 1.9.9
    MariaDB Ver:
    MariaDB 5.5
    More POODLE analysis at Man bites dog: HTTPS-menacing POODLE is 'hard to exploit' – unless you're on public Wi-Fi • The Register

    Basically for WIFI using folks, I hope you're using secure WIFI connections whenever possible. For me, I use VPN encryption whenever I use WIFI on all my mobile and tablet devices.

     
    eva2000, Oct 19, 2014
    #52
  13. eva2000

    eva2000 Administrator Staff Member

    Joined:
    May 24, 2014
    Messages:
    12,811
    Likes Received:
    3,345
    Ratings:
    +4,082 / 7
    Local Time:
    9:12 AM
    Nginx Ver:
    Nginx 1.9.9
    MariaDB Ver:
    MariaDB 5.5
    Mozilla Wiki has updated with POODLE SSLv3 information at Security/Server Side TLS - MozillaWiki

     
    eva2000, Oct 19, 2014
    #53
  14. eva2000

    eva2000 Administrator Staff Member

    Joined:
    May 24, 2014
    Messages:
    12,811
    Likes Received:
    3,345
    Ratings:
    +4,082 / 7
    Local Time:
    9:12 AM
    Nginx Ver:
    Nginx 1.9.9
    MariaDB Ver:
    MariaDB 5.5
    Interesting analysis written 2+ days ago of whether SSL 3.0 can be fixed on Redhat blog at Can SSL 3.0 be fixed? An analysis of the POODLE attack. | Red Hat Security

    TLS_FALLBACK_SCSV needs web browser end support too ! Hence, for now need to disable SSL 3.0 on server side until all web browsers are updated with TLS_FALLBACK_SCSV support.
     
    Last edited: Oct 23, 2014
    eva2000, Oct 23, 2014
    #54
  15. eva2000

    eva2000 Administrator Staff Member

    Joined:
    May 24, 2014
    Messages:
    12,811
    Likes Received:
    3,345
    Ratings:
    +4,082 / 7
    Local Time:
    9:12 AM
    Nginx Ver:
    Nginx 1.9.9
    MariaDB Ver:
    MariaDB 5.5
    Cpanel 11.44.1.19 build adds new SSL protocol options for disabling SSL 3.0
     
    eva2000, Oct 23, 2014
    #55
  16. eva2000

    eva2000 Administrator Staff Member

    Joined:
    May 24, 2014
    Messages:
    12,811
    Likes Received:
    3,345
    Ratings:
    +4,082 / 7
    Local Time:
    9:12 AM
    Nginx Ver:
    Nginx 1.9.9
    MariaDB Ver:
    MariaDB 5.5
    hmm something to think about. Some folks reporting with SSLv3 disabled in their browsers, they are not able to log into their own home routers' admin pages. So you'd want to make sure you can log into your router admin pages with SSLv3 disabled :)
     
    eva2000, Oct 28, 2014
    #56
    • Like Like x 1
  17. RoldanLT

    RoldanLT Premium Member Premium Member

    Joined:
    May 25, 2014
    Messages:
    2,914
    Likes Received:
    666
    Ratings:
    +789 / 0
    Local Time:
    7:12 AM
    Nginx Ver:
    1.9.3
    MariaDB Ver:
    10.0.21
    Then use IE when you login to your router :D
     
    RoldanLT, Oct 28, 2014
    #57
    • Like Like x 1
  18. eva2000

    eva2000 Administrator Staff Member

    Joined:
    May 24, 2014
    Messages:
    12,811
    Likes Received:
    3,345
    Ratings:
    +4,082 / 7
    Local Time:
    9:12 AM
    Nginx Ver:
    Nginx 1.9.9
    MariaDB Ver:
    MariaDB 5.5
    eva2000, Oct 29, 2014
    #58
  19. eva2000

    eva2000 Administrator Staff Member

    Joined:
    May 24, 2014
    Messages:
    12,811
    Likes Received:
    3,345
    Ratings:
    +4,082 / 7
    Local Time:
    9:12 AM
    Nginx Ver:
    Nginx 1.9.9
    MariaDB Ver:
    MariaDB 5.5
    Chrome 39 will disable SSLv3 Chrome 39 Will Have SSL 3.0 Disabled by Default, Chrome 40 Removes It Completely - Softpedia

     
    eva2000, Nov 1, 2014
    #59
Previous Thread Next Thread
Loading...
Page 3 of 3
: sslv3, poodle attack, poodle ssl, ssl, 1.0.1e-30.el6_5.2, openssl, openssl 1.0.1j, tls_fallback_scsv