Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [poodle]

37 questions
39
votes
7 answers

Poodle: Is disabling SSL V3 on server really a solution?

I've been reading all day about the Poodle vulnerability and it I am bit confused now vs Security and Revenue. If I disable SSL V3 on Server (SSL V2 and V3 both will be disabled for Apache) clients (browsers) who don't support any protocol but SSL…
sandeep.s85
  • 2,059
  • 1
  • 18
  • 26
20
votes
8 answers

How do I disable SSLv3 support in Apache Tomcat?

I am trying to reconfigure my Apache Tomcat server to only use TLSv1. However, it is still falling back to SSLv3 using certain browsers. I setup the tag with the following settings:
rmiesen
  • 302
  • 1
  • 2
  • 6
19
votes
1 answer

How to mitigate POODLE but keep SSLv3 support for old clients

How do I mitigate the POODLE attack, but still keep support for old clients such as IE6 on Windows XP or an e-mail client. I've noticed that google does this: https://www.ssllabs.com/ssltest/analyze.html?d=mail.google.com I'm using nginx and…
cypres
  • 601
  • 4
  • 13
14
votes
1 answer

Passing SSL protocol info to backend via HTTP header

After Poodle vulnerability was revealed recently, our team decided to move on from SSLv3. But before complete removal, they want to warn the daily users that their browser use deprecated SSLv3. So, we came up the idea to Detect the protocol…
tpml7
  • 479
  • 1
  • 5
  • 21
12
votes
2 answers

Disabling SSLv3 but still supporting SSLv2Hello in Apache

Many SSL clients, notably JDK 6, use the SSLv2Hello protocol to handshake with the server. Using this protocol does not mean you are using SSL 2.0 or 3.0 for that matter; it is merely a handshake to determine which protocol to use. …
Matt Hughes
  • 231
  • 1
  • 2
  • 5
7
votes
2 answers

Is a reboot required for SSL V3 disable on Windows? - Poodle exploit

We are trying to disable SSL V3 on numerous windows servers; as a part of it , registries are being updated remotely via script. Problem is lots of reboots are required post registry change. Is there a way around it , can service be restarted on the…
Darktux
  • 827
  • 5
  • 20
  • 36
6
votes
1 answer

Disable SSLv3 on Windows Server 2012

I have disabled the SSLv3 on Windows 2012 sever using the following method: http://blog.brankovucinec.com/2014/11/13/disable-the-sslv3-protocol-on-microsoft-windows-servers/ Around the same thing is here too…
progrAmmar
  • 171
  • 2
  • 2
  • 6
6
votes
2 answers

How switching off SSLv3 in Courier-IMAP server affects old Mail User Agents?

I would like to mitigate POODLE vuln. in my courier-imap server. I know how to do it. I'm really concerned on how it will affect MUA's, especially the older ones. There are still users using Outlook Express 6 in Windows XP. Is there any analysis…
Scyld de Fraud
  • 83
  • 9
4
votes
3 answers

Nginx sslv3 poodle disable

I tried setup SSL cert without SSLv3 in my nginx, but SSL Labs say, my server have SSLv3 how to disable it. My config: add_header Strict-Transport-Security max-age=31536000; add_header X-Frame-Options DENY; ssl_session_cache…
Rinat Mukhamedgaliev
  • 151
  • 1
  • 6
4
votes
2 answers

Redirect users connecting with SSLv3 within nginx

I was looking to drop all support for the SSLv3 due to POODLE, but found that there are still some people coming from old browsers for the likes of IE on Windows XP. How do I detect these SSLv3-only users from within nginx, and redirect them to…
sanmai
  • 521
  • 5
  • 19
4
votes
1 answer

Poodle Exploit - Disable SSL v3 on a website specific basis

I'm looking for a very specific situation here with this Poodle exploit. I have a need to disable SSL v2/3 on a subset of my IIS websites, but leave SSL 2/3 available on a few others. Is it possible to do this with IIS 7.5?
Falcones
  • 73
  • 5
3
votes
2 answers

Weblogic Mitigate POODLE vulnerability after upgrade and still use CBC ciphers

I recently upgraded my Weblogic server to 10.3.6 with java 7. So with that I have TLS1.0 - TLS 1.2 enabled via the setEnv.sh. Some of the ciphers I am using to make sure that they are compatible (supported by Weblogic, FF37, Chrome 44, etc) are as…
Vnge
  • 185
  • 3
  • 12
3
votes
5 answers

Is it possible to disable SSLv3 in Sendmail 8.14.3?

Is it possible to disable SSLv3 in Sendmail 8.14.3? The recommendations that I found is to use -O ServerSSLOptions=... but that option is not recognized. Is there any other way of disabling SSLv3 without changing Sendmail code? If not, which is the…
a.d23
  • 31
  • 1
  • 2
3
votes
1 answer

Does my server (still) supports the SSL v3 protocol?

Using https://www.poodlescan.com/ I get for the web site http://ww.israelpost.co.il This server supports the SSL v3 protocol. Using https://www.ssllabs.com/ssltest/analyze.html?d=israelpost.co.il I get: Protocols TLS 1.2 No TLS 1.1 No TLS 1.0…
Emmanuel Gleizer
  • 153
  • 1
  • 6
2
votes
1 answer

Am I vulnerable to POODLE or not?

Domain: burian-server.cz What I've tried: user@pc ~ $ curl -v -3 -X HEAD https://burian-server.cz * Rebuilt URL to: https://burian-server.cz/ * Hostname was NOT found in DNS cache * Trying 192.168.0.102... * Connected to burian-server.cz…
LinuxSecurityFreak
  • 487
  • 6
  • 19
1
2 3