3

Using https://www.poodlescan.com/ I get for the web site http://ww.israelpost.co.il

This server supports the SSL v3 protocol.

Using https://www.ssllabs.com/ssltest/analyze.html?d=israelpost.co.il I get:

Protocols
TLS 1.2 No
TLS 1.1 No
TLS 1.0 Yes
SSL 3   No
SSL 2   No

So my question is does my server supports the SSL v3 protocol or not? I've done my best to disable SSL v3. If poodlescan returns "false positive", does it find a weakness other than SSL v3 and reports it as SSL3? Please note that currently only TLS 1.0 is supported by the server.

I'm also getting calls from client using IE (not 6/xp) that can't connect over ssl to the site but succeeds using chrome.

After installing fixes : ver (64 Bit) (Release 9.0.1FP2 HF590 for Windows/64) even regenerated SHA 256 keys and set notes.ini

DISABLE_SSLV3=1
DEBUG_UNSUPPORTED_DISABLE_SSLV3=17

Is there anything else ?

Tim
  • 107
  • 6
Emmanuel Gleizer
  • 153
  • 1
  • 6
  • 1
    Looks like poodletest is caching something. Running [this test](https://pentest-tools.com/vulnerability-scanning/ssl-poodle-scanner) your website seems safe. Have you tried some manual basic tests as [described here](http://chrisburgess.com.au/how-to-test-for-the-sslv3-poodle-vulnerability/)? They're not conclusive by any means, but an easy spot-check. – Reaces Jan 06 '15 at 11:45
  • thanks @Reaces, I performed other tests (https://pentest-tools.com/vulnerability-scanning/ssl-poodle-scanner, http://poodlebleed.com/) all indicating "NOT Vulnerable", maybe as you said has poodlescan.com cached something. – Emmanuel Gleizer Jan 07 '15 at 06:16
  • some more info from IBM:The notes.ini parameter disables support for SSLv3 but looking a the output from s_client and domino it does not stop the initial connection attempt, but terminates the connection as soon as the remote client attempts to perform a SSL handshake. Perhaps this maybe enough for poodlescan.com to consider Domino supports SSLv3 but again you would need to clarify this with the site owners as this is the only site I can find that reports the issue. – Emmanuel Gleizer Jan 08 '15 at 07:31
  • 1
    Bug fixed on [PoodleScan.com](https://www.poodlescan.com/ ) :) > Scan results WWW.ISRAELPOST.CO.IL:443 (193.46.64.211) - NOT VULNERABLE > > This server does NOT support the SSL v3 protocol. > > This server does NOT support the SSL v2 protocol. – Pierre Jan 08 '15 at 15:38

1 Answers1

7

Your server does not support connecting through SSLv3.

[sreeraj@server ~]$ openssl s_client -connect www.israelpost.co.il:443 -ssl3 CONNECTED(00000003) 140610352998304:error:14094417:SSL routines:SSL3_READ_BYTES:sslv3 alert illegal parameter:s3_pkt.c:1257:SSL alert number 47 140610352998304:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:

And:

[sreeraj@server ~]$ openssl s_client -connect israelpost.co.il:443 -ssl3 CONNECTED(00000003) 140334476011424:error:14094417:SSL routines:SSL3_READ_BYTES:sslv3 alert illegal parameter:s3_pkt.c:1257:SSL alert number 47 140334476011424:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:

Looks good.

Sreeraj
  • 464
  • 1
  • 4
  • 15
  • Thank you @Sree, for the openssl test! It seems now that only poodlescan.com warns for SSL3 support. I accept the response even if still don't understand why I have a "false positive". – Emmanuel Gleizer Jan 07 '15 at 06:33
  • additionnal info, it seams that IE users that can't connect to web site in http were still enabling SSL 2 in IE, which cause "page can not be displayed" see http://support.microsoft.com/kb/2851628/ – Emmanuel Gleizer Jan 07 '15 at 11:16
  • Yes. If everything is good (ie. is SSLv3 is disabled), users trying to visit the https url with old IE version will not be able to connect since older versions use SSLv3 to connect. – Sreeraj Jan 07 '15 at 11:25
  • Not exactly @Sree, even with newer version of IE, when allowing BOTH protocols SSL v2 and TLS. – Emmanuel Gleizer Jan 08 '15 at 07:08