What is the POODLE Vulnerability?
The POODLE vulnerability is a weakness in version 3 of the SSL protocol that allows an attacker in a man-in-the-middle context to decipher the plain text content of an SSLv3 encrypted message.
Who is affected by this Vulnerability?
This vulnerability affects every piece of software that can be coerced into communicating with SSLv3. This means that any software that implements a fallback mechanism that includes SSLv3 support is vulnerable and can be exploited.
Some common pieces of software that may be affected are web browsers, web servers, VPN servers, mail servers, etc.
How Can I Protect Myself?
Servers and clients should take steps to disable SSLv3 support completely. Many applications use better encryption by default, but implement SSLv3 support as a fallback option. This should be disabled, as a malicious user can force SSLv3 communication if both participants allow it as an acceptable method.
Release:
Component: IDMGR
Steps to disable SSLv3 protocol on JBoss and Weblogic and WebSphere:
Steps to disable SSLv3 protocol on JBoss:
1. While enabling/configuring the https connection in standalone-full.xml file at location <JBOSS_HOME>\standalone\configuration, specify the ssl protocol
<ssl name="ssl" password="changeit" sslProtocol = "TLS" key-alias="jbosskey" certificate-key-file="../standalone/configuration/server.keystore"/>
2. If you don't specify the sslprotocol attribute in <ssl> tag, by default it takes SSLv3 for Jboss. We need to explicitly point it to another protocol other than SSlv3
Steps to disable SSLv3 protocol on Weblogic:
1. The weblogic.security.SSL.protocolVersion command-line argument lets you specify which protocol is used for SSL connections.
2. After enabling/configuring the SSL for weblogic server, append the following option to the JAVA_OPTIONS variable
-Dweblogic.security.SSL.protocolVersion=TLS1
NOTE: If you don’t specify the above property, by default it takes SSLv3.
Steps to disable SSLv3 protocol on WebSphere:
Login to ibm admin console
1. Go to Security > SSL certificate and key management > SSL configurations
2. The collection of all SSL configurations is listed. For each SSL configuration in the list the SSL protocol will need to be modified to use TLS.
3. Select an SSL Configuration then click Quality of protection (QoP) settings under Additional Properties on the right.
4. On the Quality of protection (QoP) settings panel, select TLS form the pull down list in the box labeled Protocol.
5. Apply/Save.
6. Restart application server
NOTE: The Protocol label SSL_TLS will not disable SSLv3. This means protocol supports SSLv3, TLS 1.0, TLS 1.1 and TLS 1.2. So select TLS, TLSv1, TLSv1.1 or TLSv1.2 only. Please refer below screenshot for more info.
How to check if SSLv3 is disabled:
1. Install Openssl on windows machine (http://gnuwin32.sourceforge.net/packages/openssl.htm)
2. In command prompt run the below commands
openssl s_client -connect <machine_name>:<ssl_port> -ssl3
3. You will see some error something like below
Loading 'screen' into random state - done
CONNECTED(00000170)
7468:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:./ssl/s3_pkt.c:530:
4. If SSLv3 is enabled, and you run the same command.
You will see an output something like below
Loading 'screen' into random state - done
CONNECTED(00000170)
Server certificate
-----BEGIN CERTIFICATE-----
<CertIDString>
-----END CERTIFICATE-----
No client certificate CA names sent
---
SSL handshake has read 628 bytes and written 206 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 512 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : RC4-MD5
Session-ID: ##################
Session-ID-ctx:
Master-Key: ###########################
Key-Arg : None
Start Time: 1416809004
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)