Blocking POODLE
Matthew Saltzman
mjs at clemson.edu
Fri Jan 16 21:09:31 UTC 2015
On Fri, 2015-01-16 at 17:41 +0100, Andre Speelmans wrote:
> On Fri, Jan 16, 2015 at 3:45 AM, Matthew Saltzman <mjs at clemson.edu> wrote:
> > On Thu, 2015-01-15 at 19:09 +0100, Andre Speelmans wrote:
> >> On Thu, Jan 15, 2015 at 3:40 AM, Matthew Saltzman <mjs at clemson.edu> wrote:
> >> > SSLLabs reports a couple of servers of mine have SSL v3 enabled and are
> >> > vulnerable to POODLE. I followed instructions for Apache httpd at
> >> > https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/, but that does not seem to cure the problem.
> >> > SSLLabs still reports the servers as vulnerable. Does anyone know what I'm missing?
> >>
> >> Given that you are on the university network, are you sure there is no
> >> proxy in between and that SSLLabs is testing the proxy?
> >
> > Good question. One of the servers is actually outside the university
> > firewall, so I *thinK* that's not an issue, at least for that machine.
> > I'm pretty sure that machines on the campus network are behind a network
> > firewall, but not behind a campus proxy.
>
> Perhaps a simple way to test it would be to disable TLS in your
> browser and try connecting to them? As you are inside the campus
> network, you would probably not hit a proxy and if you only accept SSL
> and not TLS, the connection should fail.
> In firefox I would set security.tls.version.min to 10 or so and see
> what happens. Note: I have not actually tried it, but I think that
> would do the trick.
Thanks for the suggestion. Changing the min (and fallback-limit,
because I didn't know what that did) to 10 does not cause a failure to
connect. So either (a) the server change didn't take or (b) the browser
change didn't take or (c) I need to do something else in the browser to
force SSLv3.
Still confused...
--
Matthew Saltzman
Clemson University Math Sciences
mjs AT clemson DOT edu
More information about the users
mailing list