For When You Can't Have The Real Thing
[ start | index | login ]
start > Linux > ssl > poodle


Created by dave. Last edited by dave, 4 years and 130 days ago. Viewed 1,495 times. #2
[diff] [history] [edit] [rdf]

Testing for poodle:

[root@voyager conf.d]# curl -v3 -X HEAD >>
* About to connect() to port 443 (#0)
*   Trying… connected
* Connected to ( port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -12286
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error

If you are vulnerable, you should see normal connection output, including the line:

* SSL 3.0 connection using SSL_NULL_WITH_NULL_NULL

If you don't get a SSL connection error, you are accepting v3.

To fix: In /etc/httpd/conf.d/ssl.conf, adjust:

#   SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect.  Disable SSLv2 access by default:
SSLProtocol all -SSLv2 -SSLv3
no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful: | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt