8:40 p.m.
SSLLabs reports a couple of servers of mine have SSL v3 enabled and are
vulnerable to POODLE. I followed instructions for Apache httpd at
https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/, but that does
not seem to cure the problem. SSLLabs still reports the servers as vulnerable. Does
anyone know what I'm missing?
The server also runs Trac and Subversion servers and a separate vhost
runs Jenkins. Does something special need to be done for those
services?
(These are, in fact, RHEL 7 servers running httpd-2.2.15-39.el6.x86_64,
but I hope someone here will know what's going on.)
Thanks in advance.
--
Matthew Saltzman
Clemson University Math Sciences
mjs AT clemson DOT edu
10:07 a.m.
Thanks for the suggestion. Changing the min (and fallback-limit,
because I didn't know what that did) to 10 does not cause a failure to
connect. So either (a) the server change didn't take or (b) the browser
change didn't take or (c) I need to do something else in the browser to
force SSLv3.
Test the browser with those setting against a server that you know has
no POODLE vulnerability?
--
Best regards,
André
8:45 p.m.
On Thu, 2015-01-15 at 19:09 +0100, Andre Speelmans wrote:
On Thu, Jan 15, 2015 at 3:40 AM, Matthew Saltzman
<mjs(a)clemson.edu> wrote:
> SSLLabs reports a couple of servers of mine have SSL v3 enabled and are
> vulnerable to POODLE. I followed instructions for Apache httpd at
> https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/, but that
does not seem to cure the problem.
> SSLLabs still reports the servers as vulnerable. Does anyone know what I'm
missing?
Given that you are on the university network, are you sure there is no
proxy in between and that SSLLabs is testing the proxy?
Good question. One of the servers is actually outside the university
firewall, so I *thinK* that's not an issue, at least for that machine.
I'm pretty sure that machines on the campus network are behind a network
firewall, but not behind a campus proxy.
--
Matthew Saltzman
Clemson University Math Sciences
mjs AT clemson DOT edu
9:27 a.m.
On Wed, 2015-01-14 at 22:39 -0700, Chris Murphy wrote:
On Wed, Jan 14, 2015 at 7:40 PM, Matthew Saltzman
<mjs(a)clemson.edu> wrote:
> SSLLabs reports a couple of servers of mine have SSL v3 enabled and are
> vulnerable to POODLE. I followed instructions for Apache httpd at
> https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/, but that
does not seem to cure the problem. SSLLabs still reports the servers as vulnerable. Does
anyone know what I'm missing?
>
> The server also runs Trac and Subversion servers and a separate vhost
> runs Jenkins. Does something special need to be done for those
> services?
>
> (These are, in fact, RHEL 7 servers running httpd-2.2.15-39.el6.x86_64,
> but I hope someone here will know what's going on.)
RHEL servers have support from Red Hat, send an email or pick up the
phone. The patches between RHEL and Fedora are documented, but unless
someone actually knows the answer it's totally non-obvious how to
answer your question other than "yes I realize it's 2015, but here's
how you use a telephone..."
Well, this is a site license at a large university, so in order to get
to RH support, I have to go through (sometimes not very responsive or
helpful) institutional IT middlemen. So I thought I'd ask here first,
in case the answer was simple and/or common across httpd versions,
because sometimes folks on this list are generous and willing to help
out in such cases.
Sorry to bother you.
--
Matthew Saltzman
Clemson University Math Sciences
mjs AT clemson DOT edu
11:39 p.m.
On Wed, Jan 14, 2015 at 7:40 PM, Matthew Saltzman <mjs(a)clemson.edu> wrote:
SSLLabs reports a couple of servers of mine have SSL v3 enabled and
are
vulnerable to POODLE. I followed instructions for Apache httpd at
https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/, but that does
not seem to cure the problem. SSLLabs still reports the servers as vulnerable. Does
anyone know what I'm missing?
The server also runs Trac and Subversion servers and a separate vhost
runs Jenkins. Does something special need to be done for those
services?
(These are, in fact, RHEL 7 servers running httpd-2.2.15-39.el6.x86_64,
but I hope someone here will know what's going on.)
RHEL servers have support from Red Hat, send an email or pick up the
phone. The patches between RHEL and Fedora are documented, but unless
someone actually knows the answer it's totally non-obvious how to
answer your question other than "yes I realize it's 2015, but here's
how you use a telephone..."
--
Chris Murphy
10:28 a.m.
New subject: Blocking POODLE [SOLVED]
...at long last (but I don't understand everything--see below).
On Sat, 2015-01-17 at 17:07 +0100, Andre Speelmans wrote:
> Thanks for the suggestion. Changing the min (and
fallback-limit,
> because I didn't know what that did) to 10 does not cause a failure to
> connect. So either (a) the server change didn't take or (b) the browser
> change didn't take or (c) I need to do something else in the browser to
> force SSLv3.
Test the browser with those setting against a server that you know has
no POODLE vulnerability?
It turns out, for reasons I haven't figured out, that changing the
SSLProtocol line in /etc/httpd/conf.d/ssl.conf from
SSLProtocol All -SSLv2
to
SSLProtocol All -SSLv2 -SSLv3
doesn't seem to disable the SSLv3 protocol, as advertised. Instead, I
had to add the second version to the configuration for one of my vhosts
that supports https protocol. I put it below the line
SSLEngine on
inside the <VirtualHost *:443> block and then it worked fine.
Not sure why it doesn't work in ssl.mod or how I was supposed to figure
it out, but at least now it's working.
It occurs to me that this might be an issue with the order in which
files in /etc/httpd/conf.d are read: the vhost file is alphabetically
earlier than ssl.conf. If that's correct, then maybe those files should
be named like the files in /etc/init.d, with prefix numbers to force an
ordering on them?
Thanks for the help.
--
Matthew Saltzman
Clemson University Math Sciences
mjs AT clemson DOT edu
3:09 p.m.
On Fri, 2015-01-16 at 17:41 +0100, Andre Speelmans wrote:
On Fri, Jan 16, 2015 at 3:45 AM, Matthew Saltzman
<mjs(a)clemson.edu> wrote:
> On Thu, 2015-01-15 at 19:09 +0100, Andre Speelmans wrote:
>> On Thu, Jan 15, 2015 at 3:40 AM, Matthew Saltzman <mjs(a)clemson.edu>
wrote:
>> > SSLLabs reports a couple of servers of mine have SSL v3 enabled and are
>> > vulnerable to POODLE. I followed instructions for Apache httpd at
>> > https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/,
but that does not seem to cure the problem.
>> > SSLLabs still reports the servers as vulnerable. Does anyone know what
I'm missing?
>>
>> Given that you are on the university network, are you sure there is no
>> proxy in between and that SSLLabs is testing the proxy?
>
> Good question. One of the servers is actually outside the university
> firewall, so I *thinK* that's not an issue, at least for that machine.
> I'm pretty sure that machines on the campus network are behind a network
> firewall, but not behind a campus proxy.
Perhaps a simple way to test it would be to disable TLS in your
browser and try connecting to them? As you are inside the campus
network, you would probably not hit a proxy and if you only accept SSL
and not TLS, the connection should fail.
In firefox I would set security.tls.version.min to 10 or so and see
what happens. Note: I have not actually tried it, but I think that
would do the trick.
Thanks for the suggestion. Changing the min (and fallback-limit,
because I didn't know what that did) to 10 does not cause a failure to
connect. So either (a) the server change didn't take or (b) the browser
change didn't take or (c) I need to do something else in the browser to
force SSLv3.
Still confused...
--
Matthew Saltzman
Clemson University Math Sciences
mjs AT clemson DOT edu
10:41 a.m.
On Fri, Jan 16, 2015 at 3:45 AM, Matthew Saltzman <mjs(a)clemson.edu> wrote:
On Thu, 2015-01-15 at 19:09 +0100, Andre Speelmans wrote:
> On Thu, Jan 15, 2015 at 3:40 AM, Matthew Saltzman <mjs(a)clemson.edu> wrote:
> > SSLLabs reports a couple of servers of mine have SSL v3 enabled and are
> > vulnerable to POODLE. I followed instructions for Apache httpd at
> > https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/, but
that does not seem to cure the problem.
> > SSLLabs still reports the servers as vulnerable. Does anyone know what I'm
missing?
>
> Given that you are on the university network, are you sure there is no
> proxy in between and that SSLLabs is testing the proxy?
Good question. One of the servers is actually outside the university
firewall, so I *thinK* that's not an issue, at least for that machine.
I'm pretty sure that machines on the campus network are behind a network
firewall, but not behind a campus proxy.
Perhaps a simple way to test it would be to disable TLS in your
browser and try connecting to them? As you are inside the campus
network, you would probably not hit a proxy and if you only accept SSL
and not TLS, the connection should fail.
In firefox I would set security.tls.version.min to 10 or so and see
what happens. Note: I have not actually tried it, but I think that
would do the trick.
--
Best regard,
André
12:09 p.m.
On Thu, Jan 15, 2015 at 3:40 AM, Matthew Saltzman <mjs(a)clemson.edu> wrote:
SSLLabs reports a couple of servers of mine have SSL v3 enabled and
are
vulnerable to POODLE. I followed instructions for Apache httpd at
https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/, but that does
not seem to cure the problem.
SSLLabs still reports the servers as vulnerable. Does anyone know what I'm missing?
Given that you are on the university network, are you sure there is no
proxy in between and that SSLLabs is testing the proxy?
--
Best regards,
André
3367
days inactive
3387
days old
8 comments
3 participants
participants (3)
-
Andre Speelmans -
Chris Murphy -
Matthew Saltzman