Blocking POODLE
Andre Speelmans
fedora-list at cosiso.nl
Fri Jan 16 16:41:49 UTC 2015
On Fri, Jan 16, 2015 at 3:45 AM, Matthew Saltzman <mjs at clemson.edu> wrote:
> On Thu, 2015-01-15 at 19:09 +0100, Andre Speelmans wrote:
>> On Thu, Jan 15, 2015 at 3:40 AM, Matthew Saltzman <mjs at clemson.edu> wrote:
>> > SSLLabs reports a couple of servers of mine have SSL v3 enabled and are
>> > vulnerable to POODLE. I followed instructions for Apache httpd at
>> > https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/, but that does not seem to cure the problem.
>> > SSLLabs still reports the servers as vulnerable. Does anyone know what I'm missing?
>>
>> Given that you are on the university network, are you sure there is no
>> proxy in between and that SSLLabs is testing the proxy?
>
> Good question. One of the servers is actually outside the university
> firewall, so I *thinK* that's not an issue, at least for that machine.
> I'm pretty sure that machines on the campus network are behind a network
> firewall, but not behind a campus proxy.
Perhaps a simple way to test it would be to disable TLS in your
browser and try connecting to them? As you are inside the campus
network, you would probably not hit a proxy and if you only accept SSL
and not TLS, the connection should fail.
In firefox I would set security.tls.version.min to 10 or so and see
what happens. Note: I have not actually tried it, but I think that
would do the trick.
--
Best regard,
André
More information about the users
mailing list