Re: Blocking POODLE

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2015-01-16 at 17:41 +0100, Andre Speelmans wrote:
> On Fri, Jan 16, 2015 at 3:45 AM, Matthew Saltzman <mjs@xxxxxxxxxxx> wrote:
> > On Thu, 2015-01-15 at 19:09 +0100, Andre Speelmans wrote:
> >> On Thu, Jan 15, 2015 at 3:40 AM, Matthew Saltzman <mjs@xxxxxxxxxxx> wrote:
> >> > SSLLabs reports a couple of servers of mine have SSL v3 enabled and are
> >> > vulnerable to POODLE.  I followed instructions for Apache httpd at
> >> > https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/, but that does not seem to cure the problem.
> >> > SSLLabs still reports the servers as vulnerable.  Does anyone know what I'm missing?
> >>
> >> Given that you are on the university network, are you sure there is no
> >> proxy in between and that SSLLabs is testing the proxy?
> >
> > Good question.  One of the servers is actually outside the university
> > firewall, so I *thinK* that's not an issue, at least for that machine.
> > I'm pretty sure that machines on the campus network are behind a network
> > firewall, but not behind a campus proxy.
> 
> Perhaps a simple way to test it would be to disable TLS in your
> browser and try connecting to them? As you are inside the campus
> network, you would probably not hit a proxy and if you only accept SSL
> and not TLS, the connection should fail.
> In firefox I would set security.tls.version.min to 10 or so and see
> what happens. Note: I have not actually tried it, but I think that
> would do the trick.

Thanks for the suggestion.  Changing the min (and fallback-limit,
because I didn't know what that did) to 10 does not cause a failure to
connect.  So either (a) the server change didn't take or (b) the browser
change didn't take or (c) I need to do something else in the browser to
force SSLv3.

Still confused...

-- 
Matthew Saltzman
Clemson University Math Sciences
mjs AT clemson DOT edu
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org



[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux