POODLE VULNERABILITY IN SSL 3.0

A new vulnerability was disclosed Oktober 16. in the SSL 3.0 protocol. Labelled Poodle (Padding Oracle On Downgraded Legacy Encryption), the vulnerability can enable crucial information to be intercepted by third parties in communications with servers which enable SSL 3.0.

WHAT IS THE ISSUE?

As a server administrator, you will need to follow these steps:

  1. Check if your server is configured to allow communications over SSL 3.0. You can do this by executing the following OpenSSL command:openssl s_client -ssl3 -connect [host]:[port] If SSL 3.0 is disabled, you will see this notification:

    SSL routines:SSL3_READ_BYTES:sslv3 alert handshakefailure:/xx/src/ssl/s3_pkt.c:xxxx:SSL alert number 40SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/xx/src/ssl/s3_pkt.c:xxx:

  2. Fully disable SSL 3.0
  3. Only enable the secure protocols TLS 1.0 and above

You can refer to the following links for assistance and instructions on how to disable SSL 3.0 for the most popular servers:

Website users should also configure their browsers to disallow communications over SSL v3.0. The main browser providers are planning to do this by default in their next releases, so make sure you always upgrade to the latest browser version, and check regularly with your provider for the latest information.

ABOUT THE TRUSTZONE SYSTEMS

SSL 3.0 is disabled both on our company websites as well as our GCC system. If you are having issues accessing these sites, please use browsers which support TLS 1.0 +.

References: