Re: [openssl-dev] Openssl Poodle Vulnerability Clarification

Wed, 24 Jun 2015 14:23:23 -0700 

The config script takes no-ssl2 and no-ssl3 args:

./config no-ssl2 no-ssl3 ...
On 06/24/2015 11:57 AM, Kannan Narayanasamy -X (kannanar - HCL TECHNOLOGIES LIMITED at Cisco) wrote: 
Hi Kurt,

Thanks for the details. Syslog process is based on Java and disabling SSLv3 is 
not possible with that. We have tried to compile openssl with SSLv3 disabled 
but it didn't help. Can you share the steps if you have to disable via openssl 
compilation.

Thanks,
Kannan Narayanasamy.


-----Original Message-----
From: openssl-dev [mailto:openssl-dev-boun...@openssl.org] On Behalf Of Kurt 
Roeckx
Sent: Friday, June 12, 2015 3:37 AM
To: openssl-dev@openssl.org
Subject: Re: [openssl-dev] Openssl Poodle Vulnerability Clarification

On Thu, Jun 11, 2015 at 09:43:24PM +0000, Kannan Narayanasamy -X (kannanar - 
HCL TECHNOLOGIES LIMITED at Cisco) wrote:

Hi All,

To resolve openSSL POODLE vulnerability we need to disable the SSLv3. In our 
application we have using openSSL through Apache. We have disabled using the 
below lines.

SSLProtocol all -SSLv2 -SSLv3

We are using 443 as SSL port. The command openssl s_client -connect 
<IPAddress>:443 -ssl3 shows the handshake failure message for 443 port. But for 
the ports 3333 and 4444 is connecting using SSLv3. The scanner as well report the 
high severity risk for those ports. In our application we are using those ports for 
syslog related tasks. If we change the port some other, then the scanner shows the 
new port in the list.

How to disable the SSLv3 connection for those ports as well since may customers 
are waiting for the fix. Your suggestion is much appreciated.


There are 2 solutions:
- Change the configuration of syslog to disable SSLv3.  Not sure
   it can actually be configured.
- Build your openssl with SSLv3 disabled.


Kurt

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
  • [ope... Kannan Narayanasamy -X (kannanar - HCL TECHNOLOGIES LIMITED at Cisco)
    • ... Kurt Roeckx
      • ... Kannan Narayanasamy -X (kannanar - HCL TECHNOLOGIES LIMITED at Cisco)
        • ... Joey Yandle
          • ... Kannan Narayanasamy -X (kannanar - HCL TECHNOLOGIES LIMITED at Cisco)
            • ... Kurt Roeckx

Reply via email to