“It was discovered that OpenSSL incorrectly handled memory when parsing DTLS SRTP extension data. A remote attacker could possibly use this issue to cause OpenSSL to consume resources, resulting in a denial of service.
.. It was discovered that OpenSSL incorrectly handled memory when verifying the integrity of a session ticket. A remote attacker could possibly use this issue to cause OpenSSL to consume resources, resulting in a denial of service. (CVE-2014-3567)
In addition, this update introduces support for the TLS Fallback Signaling Cipher Suite Value (TLS_FALLBACK_SCSV). This new feature prevents protocol downgrade attacks when certain applications such as web browsers attempt to reconnect using a lower protocol version for interoperability reasons.”
We recommend to all of our affiliates to update their OpenSSL versions immediately and to turn off SSL v3 and use TLS 1.1 and higher. Please note that Payflex system servers have been patched and are no longer accepting SSL v3 connections.
How to test if you have disabled SSL v3?
To check if you have disabled the SSLv3 support, then run (replace “facebook.com” with “yourserver.tld”.)
openssl s_client -connect facebook.com:443 -ssl3
which should produce something like
3073927320:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1258:SSL alert number 40 3073927320:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
meaning SSLv3 is disabled on the server. Otherwise the connection will established successfully.
Alternatively, you can use nmap to scan server for supported version:
# nmap --script ssl-enum-ciphers facebook.com** Starting Nmap 6.47 ( http://nmap.org ) at 2014-10-15 03:19 PDT Nmap scan report for facebook.com (22.214.171.124) Host is up (0.090s latency). rDNS record for 126.96.36.199: edge-star-shv-12-frc3.facebook.com Not shown: 997 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp open https | ssl-enum-ciphers: | **SSLv3: No supported ciphers found** | TLSv1.0: