Hi Sailaja,
Pre-deployment Checks
1. $ openssl s_client -ssl3 -connect <host>:<ssl_port> -state –debug
E.g. openssl s_client -ssl3 -connect 10.75.112.16:443 -state –debug
2. Expected output –
. . . .
. . .
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 write client key exchange A
write to 0008D528 [0009CC48] (6 bytes => 6 (0x6))
0000 - 14 03 00 00 01 01 ......
SSL_connect:SSLv3 write change cipher spec A
write to 0008D528 [0009CC48] (69 bytes => 69 (0x45))
0000 - 16 03 00 00 40 0b df 0a-6a fe 61 00 67 09 4d 2c ....@...j.a.g.M,
0010 - 97 dd 48 8b 23 39 62 9e-f8 bb f3 3b fa d9 94 2b ..H.#9b....;...+
0020 - c4 0c f4 cf 39 79 5d ad-ba fe 76 89 41 14 6e 53 ....9y]...v.A.nS
0030 - e8 4e 3c dc a8 07 4b be-5f bd bf ae d2 54 2e ea .N<...K._....T..
0040 - c0 ab f5 33 77 ...3w
. . . . .
. . . . .
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
read from 0008D528 [00092AD0] (5 bytes => 5 (0x5))
. . . . .
. . . . .
This indicates that the SSLv3 connection was successful & hence the system is
vulnerable.
Deployment tasks
1. Edit $OHS_HOME/conf/ssl.conf
Add SSLProtocol All -SSLv2 -SSLv3 in between SSLEngine directive &
SSLCipherSuite directive. This will ensure that the protocol will be other that
SSLv2 & SSLv3 and hence it will be TLS.
Save the file
2. Restart OAS.
$ cd $OAS_HOME/bin
$ ./opmnctl stopall
$ ./opmnctl startall
Post-deployment Checks
1. openssl s_client -ssl3 -connect <host>:<ssl_port> -state –debug
E.g. openssl s_client -ssl3 -connect 10.75.112.16:443 -state –debug
2. Expected output-
. . .
. .
SSL_connect:SSLv3 write client hello A
read from 0008D528 [00092AD0] (5 bytes => 5 (0x5))
0000 - 15 03 01 00 02 .....
write to 0008D528 [0009CC48] (7 bytes => 7 (0x7))
0000 - 15 03 01 00 02 02 28 ......(
SSL3 alert write:fatal:handshake failure
SSL_connect:error in SSLv3 read server hello A
1021:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:../../../../common/openssl/ssl/s3_pkt.c:283: -
This indicate that the SSLv3 connection was unsuccessful & hence the system is
not vulnerable.
Assuming – you have Oracle Application Server and Oracle HTTP Server. Similar
steps will work for Weblogic as well.
Thanks,
Olive
From: Sailaja Gadireddy [mailto:sailaja.gadire...@gmail.com]
Sent: 12 March 2015 15:27
To: users@httpd.apache.org
Subject: [users@httpd] How to disable SSLV3 protocol at Apache
Hello Team,
As SSLv3 is having POODLE attack, client has initiated to disable and upgrade
it to TLSV1.
Please do let me know how do we do that and how to check on impact on
application after disabling it.
How we can check from client side if they are having SSLV3 or TLSV1. What are
the pre-requisites for disabling SSLV3?
Please do let me know for further details.
Thanks & Regards,
Sailaja.
