Re: no-sslv3 option not working

Tue, 21 Oct 2014 07:57:30 -0700 

Hi,

On 21.10.2014 16:26, John Leach wrote:
> Hi,
>
> I'm trying to disable sslv3 with the "no-sslv3" bind option, but it's
> not working.
>
> The option is accepted and the restart is successful, but sslv3 is still
> accepted:
>
> $ openssl s_client -ssl3 -connect localhost:443
>
>  New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
>  Server public key is 1024 bit
>  Secure Renegotiation IS supported
>  Compression: NONE
>  Expansion: NONE
>  SSL-Session:
>      Protocol  : SSLv3
>      Cipher    : DHE-RSA-AES256-SHA
>      Session-ID:
> D74EC1760F565669B7CD8D21636D05AABC9E047DAC94133E62240B3824EB8176
>      Session-ID-ctx:
>      Master-Key:
> 11417200F033C2B542B4FA3A7DC3C00214EFE92C7709FD406014D047D75DBA40573447ED5808962211AF323860367DEE
>      Key-Arg   : None
>      PSK identity: None
>      PSK identity hint: None
>      SRP username: None
>      Start Time: 1413900818
>
> double checked with nmap.
>
> Tested with haproxy 1.5.3 and 1.5.4 on Ubuntu 14.10, Fedora 20 and Centos 7.
>
> Config is as simple as:
>
>
>   frontend myfrontend
>     bind 0.0.0.0:443 ssl crt /etc/haproxy/mycert.pem no-sslv3
>     default_backend mybackend
>     reqadd X-Forwarded-Proto:\ https
Ive checked your config on centos 7 with the official version 1.5.2 and
it works.
--
# openssl s_client -ssl3 -connect 127.0.0.1:443
CONNECTED(00000003)
139825192679328:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
handshake failure:s3_pkt.c:1257:SSL alert number 40
139825192679328:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
handshake failure:s3_pkt.c:596:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1413903320
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---


>
> I've also tried disabling tls too, and that seems to have no effect either.
>
> Lots of people are recommending this as a fix against the POODLE vuln,
> so it's quite critical! Any thoughts?
Could you post haproxy -vv?
Where does you package come from? Did you compile it by yourself?

> Thanks,
>
> John.
> --
> http://brightbox.com
>
>


cheers
thomas

Reply via email to