[BlueOnyx:16179] Re: SSL v3 POODLE vulnerability

Michael Stauber mstauber at blueonyx.it
Tue Oct 14 20:17:03 -05 2014 

Hi Ralf,

> Just to be clear, this vulnerability has nothing specifically to do
> with OpenSSL (or any other SSL implementation), it's a flaw in the
> definition of the SSL 3.0 protocol, thus effecting all devices and
> application that use/implement SSL 3.0...

Yeah, I have just been reading up on it here:

https://isc.sans.edu/forums/diary/OpenSSL+SSLv3+POODLE+Vulnerability+Official+Release/18827

So as is SSL v3.0 allows snooping via a man-in-the-middle attack.

This is bad enough. They kind of confirm that SSL v3.0 is pretty much
dead and recommend to move to TLSv1.2 for secure connections. Think
HTTPS, SMTPS, POP3S, IMAPS and FTPS in our usage cases on BlueOnyx.

During the crypto-crisis I did some security hardening of BlueOnyx to
switch to more secure encryption ciphers and protocols wherever possible.

SSLv v3.0 is actually only needed to support some older browsers, email
clients and such. Like on Windows XP. Which fortunately is EOL now!

On EL6 based BlueOnyx (5107R, 5108R, 5207R and 5208R) we can safely turn
SSL v3.0 off. This might not sit well with some remaining XP users who
haven't heard the shot yet. But that shouldn't be our problem, as we do
have TLSv1.2 as a secure alternative that is widely supported on the
client side.

However, with the CentOS5 based BlueOnyx 5106R we got a problem:

The old OpenSSL there doesn't offer TLSv1.2.

All we've got on 5106R are TLSv1.1, TLSv1.0 and SSL v3.0 and v2.0.

That's like the choice between pest and cholera. Scratch SSL v3.0 and
v2.0. Which leaves us with TLS v1.1 (utter trainwreck) and TLS v1.0
(pretty bad). In essence (if you scratch XP with IE6) all browsers will
only use TLS v1.0 when they use HTTPS on a 5106R.

So 5106R users really ought to think about upgrading to a newer
BlueOnyx. The whole encryption there is just a boondoggle of outdated
ciphers and protocols that's beyond fixing.

I'll do some more digging and will eventually push an update that
disables the SSL v3.0 protocol on all BlueOnyx versions. But I'll give
it a few days as I want to do some more digging.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list