October 16 2014: SSL 3 poodle vulnerability

Attention:

“It was discovered that OpenSSL incorrectly handled memory when parsing DTLS SRTP extension data. A remote attacker could possibly use this issue to cause OpenSSL to consume resources, resulting in a denial of service.

.. It was discovered that OpenSSL incorrectly handled memory when verifying the integrity of a session ticket. A remote attacker could possibly use this issue to cause OpenSSL to consume resources, resulting in a denial of service. (CVE-2014-3567)

In addition, this update introduces support for the TLS Fallback Signaling Cipher Suite Value (TLS_FALLBACK_SCSV). This new feature prevents protocol downgrade attacks when certain applications such as web browsers attempt to reconnect using a lower protocol version for interoperability reasons.”

Notice:

We recommend to all of our affiliates to update their OpenSSL versions immediately and to turn off SSL v3 and use TLS 1.1 and higher. Please note that Payflex system servers have been patched and are no longer accepting SSL v3 connections.

How to test if you have disabled SSL v3?

To check if you have disabled the SSLv3 support, then run (replace “facebook.com” with “yourserver.tld”.)

openssl s_client -connect facebook.com:443 -ssl3

which should produce something like

3073927320:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1258:SSL alert number 40
3073927320:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:

meaning SSLv3 is disabled on the server. Otherwise the connection will established successfully.

Alternatively, you can use nmap to scan server for supported version:

# nmap --script ssl-enum-ciphers facebook.com**
Starting Nmap 6.47 ( http://nmap.org ) at 2014-10-15 03:19 PDT
Nmap scan report for facebook.com (173.252.120.6)
Host is up (0.090s latency).
rDNS record for 173.252.120.6: edge-star-shv-12-frc3.facebook.com
Not shown: 997 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https
| ssl-enum-ciphers: 
|   **SSLv3: No supported ciphers found**
|   TLSv1.0: