Re: [openssl-dev] Openssl Poodle Vulnerability Clarification

Sat, 04 Jul 2015 12:14:56 -0700 

Hi Joy,

Thanks for the steps. I have tried with exclusion option(Command used:  
./config no-idea no-ssl3 shared --prefix=/Openssl-1/) and getting the below 
error while executing the make test command.

Error1:

The following command should have some OK's and some failures
There are definitly a few expired certificates
../util/shlib_wrap.sh ../apps/openssl verify -CApath ../certs ../certs/*.pem
Error opening certificate file ../certs/*.pem
11852:error:02001002:system library:fopen:No such file or 
directory:bss_file.c:356:fopen('../certs/*.pem','r')
11852:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:358:
unable to load certificate
Generate a set of DH parameters

Error2:
SSLv2, cipher SSLv2 DES-CBC3-MD5, 1024 bit RSA
1 handshakes of 256 bytes done
Testing ciphersuites
Testing ciphersuites for SSLv3
Error in cipher list
12621:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher 
match:ssl_lib.c:1223:
dh
test tls1 with 1024bit anonymous DH, multiple handshakes
Available compression methods:
  NONE
ERROR in CLIENT
12647:error:140650B5:SSL routines:CLIENT_HELLO:no ciphers 
available:s2_clnt.c:575:
ERROR in CLIENT
12647:error:140650B5:SSL routines:CLIENT_HELLO:no ciphers 
available:s2_clnt.c:575:
ERROR in CLIENT
12647:error:140650B5:SSL routines:CLIENT_HELLO:no ciphers 
available:s2_clnt.c:575:
ERROR in CLIENT
12647:error:140650B5:SSL routines:CLIENT_HELLO:no ciphers 
available:s2_clnt.c:575:
ERROR in CLIENT
12647:error:140650B5:SSL routines:CLIENT_HELLO:no ciphers 
available:s2_clnt.c:575:
ERROR in CLIENT
12647:error:140650B5:SSL routines:CLIENT_HELLO:no ciphers 
available:s2_clnt.c:575:
ERROR in CLIENT


Thanks,
Kannan Narayanasamy.

-----Original Message-----
From: openssl-dev [mailto:openssl-dev-boun...@openssl.org] On Behalf Of Joey 
Yandle
Sent: Thursday, June 25, 2015 2:52 AM
To: openssl-dev@openssl.org
Subject: Re: [openssl-dev] Openssl Poodle Vulnerability Clarification

The config script takes no-ssl2 and no-ssl3 args:

./config no-ssl2 no-ssl3 ...


On 06/24/2015 11:57 AM, Kannan Narayanasamy -X (kannanar - HCL TECHNOLOGIES 
LIMITED at Cisco) wrote:
> Hi Kurt,
>
> Thanks for the details. Syslog process is based on Java and disabling SSLv3 
> is not possible with that. We have tried to compile openssl with SSLv3 
> disabled but it didn't help. Can you share the steps if you have to disable 
> via openssl compilation.
>
> Thanks,
> Kannan Narayanasamy.
>
>
> -----Original Message-----
> From: openssl-dev [mailto:openssl-dev-boun...@openssl.org] On Behalf 
> Of Kurt Roeckx
> Sent: Friday, June 12, 2015 3:37 AM
> To: openssl-dev@openssl.org
> Subject: Re: [openssl-dev] Openssl Poodle Vulnerability Clarification
>
> On Thu, Jun 11, 2015 at 09:43:24PM +0000, Kannan Narayanasamy -X (kannanar - 
> HCL TECHNOLOGIES LIMITED at Cisco) wrote:
>> Hi All,
>>
>> To resolve openSSL POODLE vulnerability we need to disable the SSLv3. In our 
>> application we have using openSSL through Apache. We have disabled using the 
>> below lines.
>>
>> SSLProtocol all -SSLv2 -SSLv3
>>
>> We are using 443 as SSL port. The command openssl s_client -connect 
>> <IPAddress>:443 -ssl3 shows the handshake failure message for 443 port. But 
>> for the ports 3333 and 4444 is connecting using SSLv3. The scanner as well 
>> report the high severity risk for those ports. In our application we are 
>> using those ports for syslog related tasks. If we change the port some 
>> other, then the scanner shows the new port in the list.
>>
>> How to disable the SSLv3 connection for those ports as well since may 
>> customers are waiting for the fix. Your suggestion is much appreciated.
>
> There are 2 solutions:
> - Change the configuration of syslog to disable SSLv3.  Not sure
>    it can actually be configured.
> - Build your openssl with SSLv3 disabled.
>
>
> Kurt
>
> _______________________________________________
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
> _______________________________________________
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
  • [ope... Kannan Narayanasamy -X (kannanar - HCL TECHNOLOGIES LIMITED at Cisco)
    • ... Kurt Roeckx
      • ... Kannan Narayanasamy -X (kannanar - HCL TECHNOLOGIES LIMITED at Cisco)
        • ... Joey Yandle
          • ... Kannan Narayanasamy -X (kannanar - HCL TECHNOLOGIES LIMITED at Cisco)
            • ... Kurt Roeckx

Reply via email to