Hi Sailaja, Pre-deployment Checks 1. $ openssl s_client -ssl3 -connect <host>:<ssl_port> -state –debug E.g. openssl s_client -ssl3 -connect 10.75.112.16:443 -state –debug 2. Expected output – . . . . . . . SSL_connect:SSLv3 read server hello A SSL_connect:SSLv3 write client key exchange A write to 0008D528 [0009CC48] (6 bytes => 6 (0x6)) 0000 - 14 03 00 00 01 01 ...... SSL_connect:SSLv3 write change cipher spec A write to 0008D528 [0009CC48] (69 bytes => 69 (0x45)) 0000 - 16 03 00 00 40 0b df 0a-6a fe 61 00 67 09 4d 2c ....@...j.a.g.M, 0010 - 97 dd 48 8b 23 39 62 9e-f8 bb f3 3b fa d9 94 2b ..H.#9b....;...+ 0020 - c4 0c f4 cf 39 79 5d ad-ba fe 76 89 41 14 6e 53 ....9y]...v.A.nS 0030 - e8 4e 3c dc a8 07 4b be-5f bd bf ae d2 54 2e ea .N<...K._....T.. 0040 - c0 ab f5 33 77 ...3w . . . . . . . . . . SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data read from 0008D528 [00092AD0] (5 bytes => 5 (0x5)) . . . . . . . . . . This indicates that the SSLv3 connection was successful & hence the system is vulnerable. Deployment tasks 1. Edit $OHS_HOME/conf/ssl.conf Add SSLProtocol All -SSLv2 -SSLv3 in between SSLEngine directive & SSLCipherSuite directive. This will ensure that the protocol will be other that SSLv2 & SSLv3 and hence it will be TLS. Save the file 2. Restart OAS. $ cd $OAS_HOME/bin $ ./opmnctl stopall $ ./opmnctl startall Post-deployment Checks 1. openssl s_client -ssl3 -connect <host>:<ssl_port> -state –debug E.g. openssl s_client -ssl3 -connect 10.75.112.16:443 -state –debug 2. Expected output- . . . . . SSL_connect:SSLv3 write client hello A read from 0008D528 [00092AD0] (5 bytes => 5 (0x5)) 0000 - 15 03 01 00 02 ..... write to 0008D528 [0009CC48] (7 bytes => 7 (0x7)) 0000 - 15 03 01 00 02 02 28 ......( SSL3 alert write:fatal:handshake failure SSL_connect:error in SSLv3 read server hello A 1021:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:../../../../common/openssl/ssl/s3_pkt.c:283: - This indicate that the SSLv3 connection was unsuccessful & hence the system is not vulnerable. Assuming – you have Oracle Application Server and Oracle HTTP Server. Similar steps will work for Weblogic as well. Thanks, Olive From: Sailaja Gadireddy [mailto:sailaja.gadireddy@xxxxxxxxx] Hello Team, As SSLv3 is having POODLE attack, client has initiated to disable and upgrade it to TLSV1. Please do let me know how do we do that and how to check on impact on application after disabling it. How we can check from client side if they are having SSLV3 or TLSV1. What are the pre-requisites for disabling SSLV3? Please do let me know for further details. Thanks & Regards, Sailaja. |