Re: Expected results for testing Poodlebug using OpenSSL CLI

Thu, 30 Oct 2014 12:34:12 -0700 

On 29/10/2014 21:14, Paul Konen wrote:



Hi, I found on the web a way to use your tool to test for the new 
vulnerability called Poodlebug.


The command is: opsnssl s_client –connect ip:port –ssl3


I feel that I have tomcat configured to use TLS only and this is the 
response back.



When I execute this against a box that isn’t restricted to TLS, I see 
the certificate information returned.



Is the above window showing that is was NOT able to make a SSLv3 
connection?




You are making a very fundamental mistake here:  Refusing SSLv3 is
not the only way tosecure a server against the POODLE attack (not
poodlebug, it is not a bug but an attack against known old bugs).

There are at least 3 ways:

A. Simply turning off SSLv3 connections, and loose support for
  older clients that cannot be upgraded to support TLS.  This is
  what you are testing for.

B. Support SSLv3, but implement the TLS_FALLBACK_SCSV system to
  ensure that up to date web browsers cannot be forced to use a
  lower SSL/TLS version than necessary.  This protects against
  the first half of the POODLE attack except when talking to old
  browsers that lack the new security features.

C. Support SSLv3, but limit it to RC4 only.  Continue to support
  better ciphers when the connection uses higher TLS versions
  that don't use the old RSADSI BSAFE padding that was part of
  SSLv3.  This is vulnerable to the cryptographic weakness of
  RC4, but not to any of the attacks against the SSLv3 ways of
  using   block ciphers.

Currently, OpenSSL apparently has no obvious way to configure it
to do something like solution C, but servers using other SSL/TLS
implementations might do this, so any test tool needs to accept
it as a solution.

By the way, I have yet to hear of any other SSL implementation
doing anything to release fixes that enable solution B.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org






















					Reply via email to