Announcement

Collapse
No announcement yet.

SSL 3.0 Protocol Vulnerability ("Poodle" SSL Vulnerability)

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • SSL 3.0 Protocol Vulnerability ("Poodle" SSL Vulnerability)

    Dear customers,

    Please be aware of the following security vulnerability disclosure that affects servers that have SSL 3.0 enabled:

    On the 14 October, Google disclosed a vulnerability in the SSL 3.0 protocol which allows an attacker to have access to encrypted information that is transmitted over this SSL communications protocol. This security vulnerability is not linked to the security of any particular SSL certificate or brand of SSL, but to the SSL 3.0 protocol which puts personal information at risk if servers accept communications over it.

    It is worth noting the SSL 3.0 protocol is 18 years old, and by today's standards, the more secure TLS protocol should be enforced for secure communications. As such, we strongly recommend all VPS, Cloud and Dedicated Server customers disable SSL 3.0 immediately. Major browsers such as Firefox are expected to disable SSL 3.0 in upcoming releases.

    You can verify whether SSL 3.0 is enabled on your server by executing the following command, replacing "example.com:443" as necessary:

    Code:
    openssl s_client -ssl3 -connect example.com:443
    You will receive an output similar to this if SSL 3.0 is disabled:

    Code:
    SSL routines:SSL3_READ_BYTES:sslv3 alert handshakefailure:/xx/src/ssl/s3_pkt.c:xxxx:SSL alert number 40SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/xx/src/ssl/s3_pkt.c:xxx:
    To learn how to disable SSL 3.0, please visit the URL corresponding to the specific HTTP server you have:

    Apache: mod_ssl - Apache HTTP Server Version 2.2

    Nginx: Module ngx_http_ssl_module

    Microsoft IIS: How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services

    If you need help disabling SSL 3.0 on your server, please contact our 24x7 support team. We will be happy to help you.

    Kind Regards,

    The eUKhost team

  • #2
    Re: SSL 3.0 Protocol Vulnerability ("Poodle" SSL Vulnerability)

    Hi Ben,

    Thank you for the information. Would you be kind to confirm whether the SSL certificates offered by you are not SSL 3.0 is enabled or have more secure TLS protocol?

    Awaiting response...

    Comment


    • #3
      Re: SSL 3.0 Protocol Vulnerability ("Poodle" SSL Vulnerability)

      Originally posted by Graham_Pryce View Post
      Hi Ben,

      Thank you for the information. Would you be kind to confirm whether the SSL certificates offered by you are not SSL 3.0 is enabled or have more secure TLS protocol?

      Awaiting response...
      Hi Graham,

      This security vulnerability has very little to do with SSL certificates, but rather the protocol (standard) that devices use to communicate with each other over a secure connection. It does not matter what type or brand of SSL certificate you have – you need to make sure your server does not accept secure connections over SSL 3.0 to avoid attackers leveraging this vulnerability against your visitors that are using the less secure protocol. The more secure TLS 1.0 protocol is recommended and has been around for roughly 15 years, and is widely supported in all browsers that your visitors will be using (supported in IE 7 and above (IE 6 has it disabled by default), Chrome 1.0 and above, Firefox 1.0 and above, etc.)

      Comment


      • #4
        Re: SSL 3.0 Protocol Vulnerability ("Poodle" SSL Vulnerability)

        Great Information Ben.

        Our Support Team is well prepared to disable such Vulnerability. One of our technical team member has posted detailed steps under Windows Dedicated Server Hosting Discussion section to disable this SSL Vulnerability on windows Server, as many of our clients wanted to learn it.


        LINK : Steps to disable SSL 3.0 protocol for POODLE vulnerability on windows server/


        Regards,
        Gareth M.
        Senior System Administrator.
        Eukhost.com

        Comment


        • #5
          Re: SSL 3.0 Protocol Vulnerability ("Poodle" SSL Vulnerability)

          I have followed CPanel's instructions here but that doesn't appear to help. The fields contain the values they list and I have pressed Save to restart the service.
          CENTOS 6.5 i686 WHM 11.44.1 (build 19)

          1. poodlescan.com says This server supports the SSL v3 protocol. This server supports the SSL v2 protocol. You should really disable this protocol. It's WAY deprecated
          2. The command line openssl s_client -ssl3 -connect example.com:443 gives
          3072313068:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:
          CONNECTED(00000003)
          ---
          no peer certificate available
          ---
          No client certificate CA names sent
          ---
          SSL handshake has read 5 bytes and written 7 bytes
          ---
          New, (NONE), Cipher is (NONE)
          Secure Renegotiation IS NOT supported
          Compression: NONE
          Expansion: NONE
          SSL-Session:
          Protocol : SSLv3
          Cipher : 0000
          Session-ID:
          Session-ID-ctx:
          Master-Key:
          Key-Arg : None
          Krb5 Principal: None
          PSK identity: None
          PSK identity hint: None
          Start Time: 1414840064
          Timeout : 7200 (sec)
          Verify return code: 0 (ok)
          Is there something else that I should be doing?

          Comment


          • #6
            Re: SSL 3.0 Protocol Vulnerability ("Poodle" SSL Vulnerability)

            Originally posted by stevem View Post
            I have followed CPanel's instructions here but that doesn't appear to help. The fields contain the values they list and I have pressed Save to restart the service.
            CENTOS 6.5 i686 WHM 11.44.1 (build 19)

            1. poodlescan.com says This server supports the SSL v3 protocol. This server supports the SSL v2 protocol. You should really disable this protocol. It's WAY deprecated
            2. The command line openssl s_client -ssl3 -connect example.com:443 gives

            Is there something else that I should be doing?
            Hi Steve,

            I'll check this for you..

            Edit: It should be sorted out now!
            Rock _a.k.a._ Jack Daniel

            Follow eUKhost on Twitter || Join eUKhost Community on Facebook

            Comment


            • #7
              Re: SSL 3.0 Protocol Vulnerability ("Poodle" SSL Vulnerability)

              I see it has been sorted and both tests now show that the server is no longer vulnerable. Thank you for doing that. May I ask what was done?

              Comment


              • #8
                Re: SSL 3.0 Protocol Vulnerability ("Poodle" SSL Vulnerability)

                Hi Steve,

                We have re-installed self-signed SSL certificate on your server and then reconfigured SSL/TLS settings to patch up "Poodle" SSL Vulnerability. Now, https://www.poodlescan.com/ is reporting the server as "Not vulnerable".
                Regards,
                Kieran A.
                Cloud Administrator
                Skype :: Kieran.Alen | eUKhost

                Comment

                Working...
                X