The Poodle SSLv3

So here we go again!

SSL is broken once more and this one now leaves us with no SSL Ciphers that we can reliably use in a live production site so I guess this now forces us to use the TLS suite of ciphers which in the past have also had problems.

Lets put it this way – if you use any form of SSL ciphers your vulnerable!

Qualys have again been quick to update the Qualys SSL Labs Test tool that they provide which is free to use. This will test your SSL Certificate and all the currently usable Ciphers for your site.

Anyhow, what is the Poodle? Its not one of those white dogs with a ping pong ball on the end of its feet and tail. The extract of the CVE is this:
The attack, specifically against the SSLv3 protocol, allows an attacker to obtain the plaintext of certain parts of an SSL connection, such as the cookie. Similar to BEAST, but more practical to carry out, POODLE could well signal the end of SSLv3 support.

I would recommend reading this posting from Qualys SSL 3 is dead, killed by the POODLE attack

Right, then on-to the Loadbalancer.org appliances.

If you are using STunnel to terminate your SSL connections you will need to manually add a line into your configuration file as which is located at ‘/etc/stunnel/stunnel.conf’ shown here:
[stunnel]
cert = /etc/loadbalancer.org/certs/stunnel.pem
ciphers = ALL
accept = 192.168.63.182:443
connect = 10.0.0.20:80
options = NO_SSLv2
options = NO_SSLv3
options = CIPHER_SERVER_PREFERENCE
TIMEOUTclose = 0

However, if you are using the Pound Terminator its a little easier to resolve. All you need do is for each Termination you have set up simply add ‘!SSLv3′ to the end of your current cipher list.

Now we also have a SSL Certificate install in our Apache Configuration for the Web User Interface again this needs to be a manual configuration file change.
You need to edit the Apache SSL Configuration file located at ‘/etc/httpd/conf.d/ssl.conf’ and find the line that currently states:
SSLProtocol all -SSLv2
Just change this to:
SSLProtocol all -SSLv2 -SSLv3

Once you have made the changes above to the services you are using you will need to restart the services for the changes to take full effect.

To restart Pound and STunnel this can be done via the Web User Interface, but restarting Apache will need to be done on the command line by typing:
/etc/init.d/httpd restart

*Note from support, if specifying only TLS ciphers then it appears you don’t need to disable SSLv3 with a manual config in stunnel. I was able to use the following cipher list successfully :

ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!SSLv3

Additionally an easy one liner for fixing Apache(WebUI) :

sed -i -e 's/SSLProtocol.*/SSLProtocol ALL -SSLv2 -SSLv3/g' -e 's/SSLCipherSuite.*/SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS/g' /etc/httpd/conf.d/ssl.conf

You Can Learn More About the LoadBalancer.org’s Product Line By Going to www.LoadBalancerSolutions.com/LoadBalancer-org

The original article/video can be found at The Poodle SSLv3

About the Author: Shannon Lewis

Leave a Reply Cancel reply