Protection against POODLE SSLv3 Vulnerability - Bug #2921
12 views
Skip to first unread message
Davide Principi
Oct 22, 2014, 4:04:01 AM10/22/14
to NethServer English
Since Thursday, Oct 16th the openssl-1.0.1e-30 RPM package containing
the fix that disables protocol downgrade (TLS_FALLBACK_SCSV) is
available from NethServer "centos-updates" repository.
Today, we released an update that disables SSLv2 and SSLv3 on httpd
daemon.
Disabling SSL on httpd drops compatibility with IE6. If you still have
it around (and cannot upgrade to a browser with TLS) then you need a
custom-template for httpd: feel free to ask for help on this ML.
For other daemons and services, after updating OpenSSL we suggest:
* check what services are still using the old library version:
# lsof -n | grep DEL | grep -F libssl.
* restart the services, or reboot the machine
* enable TLS and disable SSL protocols on the client-side, as the
protocol downgrade is already fixed on the server-side.
Packages in "nethserver-updates" repository:
nethserver-httpd-admin-1.3.3-1.ns6.noarch.rpm
nethserver-httpd-2.3.3-1.ns6.noarch.rpm
See also:
* http://dev.nethserver.org/issues/2921
More informations about Poodle are available from:
* https://www.imperialviolet.org/2014/10/14/poodle.html
* https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-poodle-sslv3-vulnerability
* http://blog.erratasec.com/2014/10/some-poodle-notes.html#.VEdhjnWSyV4
--
Davide Principi
#davidep | @davideprincipi | GPG 0x5651EA71
the fix that disables protocol downgrade (TLS_FALLBACK_SCSV) is
available from NethServer "centos-updates" repository.
Today, we released an update that disables SSLv2 and SSLv3 on httpd
daemon.
Disabling SSL on httpd drops compatibility with IE6. If you still have
it around (and cannot upgrade to a browser with TLS) then you need a
custom-template for httpd: feel free to ask for help on this ML.
For other daemons and services, after updating OpenSSL we suggest:
* check what services are still using the old library version:
# lsof -n | grep DEL | grep -F libssl.
* restart the services, or reboot the machine
* enable TLS and disable SSL protocols on the client-side, as the
protocol downgrade is already fixed on the server-side.
Packages in "nethserver-updates" repository:
nethserver-httpd-admin-1.3.3-1.ns6.noarch.rpm
nethserver-httpd-2.3.3-1.ns6.noarch.rpm
See also:
* http://dev.nethserver.org/issues/2921
More informations about Poodle are available from:
* https://www.imperialviolet.org/2014/10/14/poodle.html
* https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-poodle-sslv3-vulnerability
* http://blog.erratasec.com/2014/10/some-poodle-notes.html#.VEdhjnWSyV4
--
Davide Principi
#davidep | @davideprincipi | GPG 0x5651EA71
Reply all
Reply to author
Forward
0 new messages