welcome to netwrkspider

Wednesday, October 15, 2014

How to check SSLv3 POODLE vulnerability & Securing your server from SSLv3 Poodle vulnerability.

#How to scan for SSL POODLE / SSLv3 Bug and Security.

Today Google researchers announced (PDF link) that they have found a bug in the SSL 3.0 protocol. The exploit could be used to intercept critical data that’s supposed to be encrypted between clients and servers. The details are given below.
URL : http://googleonlinesecurity.blogspot.in/2014/10/this-poodle-bites-exploiting-ssl-30.html
PDF : https://www.openssl.org/~bodo/ssl-poodle.pdf

#How to scan SSLv3 on server side.

A ) Method 1: using cipherscan




B ) Mehod 2 : using openssl

root@ThinkPad-T430:/opt/xnull# openssl s_client -connect flipkart.com:443 -ssl3



Note : if handshake failure No sslv3 supporting on server and its secure. if handshake successful then
disable your SSLv3 on Server because there is no patch available for SSLv3.

C) Method 3 : using Nmap

nmap --script ssl-enum-ciphers -p 443 myntra.com


#How to test your client (i.e Browser) for SSLv3 Bug.

https://www.poodletest.com/



#Solution :

https://zmap.io/sslv3/browsers.html


#How to Secure your Server with SSLv3 Bug

A ) Apache httpd Server .

If you're running Apache, just include the following line in your configuration among the other SSL directives:

SSLProtocol All -SSLv2 -SSLv3


restart your apache services.

B ) NGINX Server : 


If you're running Nginx, just include the following line in your configuration among the other SSL directives:


ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

restart your nginx services.

C ) Postfix SMTP

For 'opportunistic SSL' (encryption policy not enforced and plain is acceptable too), you don't need to change anything. Even SSLv2 is better than plain, so if you need to secure your server you should be using 'mandatory SSL' mode anyway.

For 'mandatory SSL' mode being configured already, just add/change the smtpd_tls_mandatory_protocols setting:

smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3

and restart Postfix:


D ) Sendmail

These options are configured in the LOCAL_CONFIG section of your sendmail.mc

LOCAL_CONFIG
O CipherList=HIGH
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

E ) Dovecot

In Dovecot v2.1+, add the following to your /etc/dovecot/local.conf (or a new file in /etc/dovecot/conf.d): Note : depends on your configuration file.

ssl_protocols = !SSLv2 !SSLv3

and restart Dovecot:

F ) HAProxy Server

SSL is supported in HAProxy >= 1.5.

Edit the /etc/haproxy.cfg file and find your bind line. Append no-sslv3. For example:

bind :443 ssl crt ciphers no-sslv3

G) OpenVPN

Seems to be unaffected (source).

OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE.


No comments: