For When You Can't Have The Real Thing
[ start | index | login ]
start > Linux > ssl > poodle

poodle

Created by dave. Last edited by dave, 4 years and 61 days ago. Viewed 1,430 times. #2
[diff] [history] [edit] [rdf]
labels
attachments
(2014-10-15)

Testing for poodle:

[root@voyager conf.d]# curl -v3 -X HEAD >>https://wiki.xdroop.com
* About to connect() to wiki.xdroop.com port 443 (#0)
*   Trying 207.107.149.132… connected
* Connected to wiki.xdroop.com (207.107.149.132) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -12286
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error

If you are vulnerable, you should see normal connection output, including the line:

* SSL 3.0 connection using SSL_NULL_WITH_NULL_NULL

If you don't get a SSL connection error, you are accepting v3.

To fix: In /etc/httpd/conf.d/ssl.conf, adjust:

#   SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect.  Disable SSLv2 access by default:
SSLProtocol all -SSLv2 -SSLv3
no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt