-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 James,
On 8/8/16 2:31 PM, James H. H. Lampert wrote: > Hmm. This is interesting. > > pentest-tools.com says that neither our server nor the customer > server is vulnerable to POODLE. > > But Site24x7.com says ours IS vulnerable to POODLE. Then (when I > click "View Result") it says it isn't. Then (when I actually run > the test again) it once again says it is. (I haven't tested the > customer site because results are posted on the test home page, > which would compromise the customer's privacy.) > > Some other POODLE test sites don't appear to work at all. Others > say we're not vulerable. > > Manually testing both servers with >> curl -v3 -X HEAD https://www.example.com > from a BASH session on my Mac, as per > <http://chrisburgess.com.au/how-to-test-for-the-sslv3-poodle-vulnerabi lity/> > > > > comes back with the desired "failed handshake" message on both > servers. There /is/ a POODLE variation which is against TLS 1.0 - 1.2 [1]. If SSLv3 is completely disabled (TLS1.0 is okay), then you aren't vulnerable to "classic" POODLE. If you aren't using CBC-based cipher suites with TLS1.0 - TLS1.2, then you should be okay. With a Java 1.6 (1.6.0_26) client, my server refuses connections due to too-small DH pairs when left to its own devices[2]. When the client is restricted to certain ciphers, these cipher suites are usable: Accepted TLSv1 TLS_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1 TLS_RSA_WITH_AES_256_CBC_SHA Accepted TLSv1 SSL_RSA_WITH_3DES_EDE_CBC_SHA Of course, those CBC-based cipher suites are the ones vulnerable to the TLS flavor of POODLE. Ivan Ristic tends to know what he's doing, so I think you can trust Qualys's server-testing tool. - -chris [1] https://en.wikipedia.org/wiki/POODLE#POODLE_attack_against_TLS [2] The TLS handshake protocol doesn't include key sizes as part of its cipher suite negotiation, so the server and client agree that they will use a DH-based cipher suite, but then the client doesn't like the key size (> 1024 bits) that the server chose. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJXqgP1AAoJEBzwKT+lPKRYv38P/3YeNilJnpcMgNMQ+ZQE9VFn Y1pBY7qb7wZYp3cxnNlRRnSBkhUIho/rwZ88vpUAPUEBK2oVVwpFovAlIPOZmV2K ARB1KYhFxV3pInfrOLbDNMjWW6AWxPcK7n+7dbT0ZZI5aoZjl9w+Vsa16EC7Xapn RqwUHnyOHnXLYi5YHGTLvIOIl5Wdcn1HzPbvbHhl4qjJ4n1t2PSRGqykolBSW18p AVyNXsJgKwpuIRCjTsJ9nsc0mtO+ovr01OLySViJ33KcIyZoyOk2PWu73yHDMp4l pUl7mYzuYmzFmMwU6s6HbDTbkxHSWBgZ+IcWH2cdQv1Uwa1VL6lQFprFC7kS/27F bH5PUN8fnQ7F9DpH2usokkc+mto9gWpK9/J2Kj6Fk/IDdwsYd2TYEM85VAkX6GL8 xSqoAUlyRGBxyUNp6MlGmTJOM91u5KhRm2Y6kuwjF/4Orl/ZHG8sLf2racfQ71t1 eD2OuJGo0YgEpnwElMAFYvZNsNhv8fTElvFfv9FINFWORDFLCrgqldF7XGfgKBDi QBf9A++27rFhTq+7C4emPiADJ9VMEKJP0cdzkmTBWL1Axp3lf914jmg9vwzx7Rtu 5yIa9iYBhTwSyGd2Nkfpi73TkBKWPlqTrOO1T5blQhL27QsLvGj1awe/WAc8kN4p w5Kj+TagsFa1qHomoedo =ZjKF -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org