logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Turn off SSLv3 support for https :: Poodle
Author
Jan-E



Joined: 09 Mar 2012
Posts: 1266
Location: Amsterdam, NL, EU

PostPosted: Wed 15 Oct '14 11:21    Post subject: Turn off SSLv3 support for https :: Poodle Reply with quote

You'd better turn off SSLv3 support if your websites rely on https-connections:

https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/

https://www.imperialviolet.org/2014/10/14/poodle.html
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Wed 15 Oct '14 18:01    Post subject: Reply with quote

What if you have to support IE on XP? *coff coff*
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Wed 15 Oct '14 19:13    Post subject: Reply with quote

You don't!

If there are people on XP still using IE, soon their XP will grind to a halt from malware. Everyone that I know that is still using XP has switched to Chrome, Firefox, Opera or Safari which should (but not guaranteed) allow them some time to figure out what they are going to do. These all allow for TLS1, many 1.1 or 1.2 even. We may soon be able to quit serving TLS1 as well.

The problem is non-browser type clients for specialized tasks, these can be much harder to do away with, especially if no new version has been released for years and the company that made them has gone away.


Last edited by glsmith on Wed 15 Oct '14 19:18; edited 1 time in total
Back to top
nicklowe



Joined: 15 Apr 2007
Posts: 8

PostPosted: Wed 15 Oct '14 19:17    Post subject: Reply with quote

Please can we have an Apache build with OpenSSL 1.0.1j which includes the server side support of the downgrade protection pseudo-ciphersuite?
Back to top
admin
Site Admin


Joined: 15 Oct 2005
Posts: 692

PostPosted: Wed 15 Oct '14 20:23    Post subject: Reply with quote

To mitigate server-side Poodle disable sslv3, for example:

SSLProtocol all -SSLv2 -SSLv3


When not popping up new (other) issues in the new OpenSSL version, we upgrade.
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Wed 15 Oct '14 20:33    Post subject: Reply with quote

1.0.1 has a couple memory leaks plugged.
Severity: 1 each of High and Medium

And there is a cute little note about 0.9.8 being EOL at the end of the year.
http://marc.info/?l=openssl-announce&m=141338840924517&w=2
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Wed 15 Oct '14 22:25    Post subject: Reply with quote

glsmith wrote:
You don't!

If there are people on XP still using IE, soon their XP will grind to a halt from malware.


Well on my own servers I disabled SSLv3 a while ago. But on some servers from some big companies who still use XP I haven't find a way yet.

And I too really would like to diable TLS 1.0 soon.
Back to top
nicklowe



Joined: 15 Apr 2007
Posts: 8

PostPosted: Thu 16 Oct '14 0:52    Post subject: Reply with quote

The newer OpenSSL version also put in the mechanism necessary to stop downgrade from happening with the newer TLS versions too, such as from TLS 1.2 to TLS 1.0.

Definitely worth having... The SSL Labs checker now looks for it and flags where it is missing.

As for the companies that still use XP, they can enable TLS 1.0 support in IE 6 through 8 in Internet Options or via Group Policy.

The feature is supported, just disabled by default until IE 7.
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Thu 16 Oct '14 3:26    Post subject: Reply with quote

I had checked my server against SSL labs test last night and earlier today, both times they had nothing there. I see it is finally live now.

As for TLS_FALLBACK_SCSV, one thing I did see was: "There's a solution to this problem, via the TLS_FALLBACK_SCSV indicator that must be supported by clients and servers in order to be effective."

Unfortunately, the only client to support this as of now is Chrome. Seeing this, I do not see any reason to panic about TLS_FALLBACK_SCSV yet. As soon as possible should be sufficient.
Back to top
Jan-E



Joined: 09 Mar 2012
Posts: 1266
Location: Amsterdam, NL, EU

PostPosted: Thu 16 Oct '14 7:11    Post subject: Reply with quote

If you upgrade to OpenSSL 1.0.1j, you will get TLS_FALLBACK_SCSV for free. There is no way to disable it.
Back to top
Jan-E



Joined: 09 Mar 2012
Posts: 1266
Location: Amsterdam, NL, EU

PostPosted: Thu 16 Oct '14 7:20    Post subject: Reply with quote

James Blond wrote:
What if you have to support IE on XP? *coff coff*

Easy. OpenSSL FIPS 1.0.1j config:

SSLProtocol -all +TLSv1.2 +TLSv1.1 +TLSv1
SSLCipherSuite AES256:AES128:3DES:HIGH
SSLHonorCipherOrder On
SSLFIPS on

https://www.ssllabs.com/ssltest/analyze.html?d=fimpcentral.net&hideResults=on
Back to top
Jan-E



Joined: 09 Mar 2012
Posts: 1266
Location: Amsterdam, NL, EU

PostPosted: Thu 16 Oct '14 7:30    Post subject: Reply with quote

nicklowe wrote:
As for the companies that still use XP, they can enable TLS 1.0 support in IE 6 through 8 in Internet Options or via Group Policy.

The feature is supported, just disabled by default until IE 7.

On a unpatched XP SP2, you can try to enable TLS 1.0 in IE6, but it will not connect anyway. On XP SP3 with the latest security patches TLS 1.0 is enabled by default in IE8 and can be made working in IE6
Back to top
Jan-E



Joined: 09 Mar 2012
Posts: 1266
Location: Amsterdam, NL, EU

PostPosted: Thu 16 Oct '14 7:36    Post subject: Reply with quote

nicklowe wrote:
Please can we have an Apache build with OpenSSL 1.0.1j which includes the server side support of the downgrade protection pseudo-ciphersuite?

There is a upgrade here:

http://www.apachelounge.com/viewtopic.php?p=28843#28843

Just do not enable FIPS mode and you are done.
Back to top
jraute



Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany

PostPosted: Fri 17 Oct '14 12:22    Post subject: Reply with quote

@Admin

Is it possible to have a new compiled version including openssl 1.0.1j to activate TLS_FALLBACK_SCSV?

That would be nice and helpful.

Thanks in advance
JR
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU

PostPosted: Fri 17 Oct '14 12:49    Post subject: Reply with quote

Yep, a little short of time due to the migration to the new provider. Planned coming days, starting with VC11.
Back to top


Reply to topic   Topic: Turn off SSLv3 support for https :: Poodle View previous topic :: View next topic
Post new topic   Forum Index -> Apache