Am I vulnerable to POODLE or not?

Question

Domain: burian-server.cz

What I've tried:

user@pc ~ $ curl -v -3 -X HEAD https://burian-server.cz
* Rebuilt URL to: https://burian-server.cz/
* Hostname was NOT found in DNS cache
*   Trying 192.168.0.102...
* Connected to burian-server.cz (192.168.0.102) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to burian-server.cz:443 
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to burian-server.cz:443 

As compared to another domain of mine sslhosting.cz, run on a different hosting:

user@pc ~ $ curl -v -3 -X HEAD https://sslhosting.cz
* Rebuilt URL to: https://sslhosting.cz/
* Hostname was NOT found in DNS cache
*   Trying 88.86.120.114...
* Connected to sslhosting.cz (88.86.120.114) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS alert, Server hello (2):
* error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

One tester told me I am "probably" not vulnerable, which I do not really understand.

As there are noticeable differences in the above outputs, I suspect I might have configured my Apache server incorrectly.

Answer 1

Actually, https://burian-server.cz/ looks really good. A great free resource for testing https is Qualys SSL Labs' SSL Server Test. Not only will they do a comprehensive test, they also point in detail to practical action that can be taken and their site has lots of up to date information explaining current attack vectors and mitigations. Ivan Ristic, the creator of mod_security, is director of engineering at Qualys.