thr3ads.net - CentOS - [CentOS] POODLE and TLSv1 [Oct 2014]

If this information is useful, please help other people find it:
Share via:

James B. Byrne

2014-Oct-17 16:53 UTC

[CentOS] POODLE and TLSv1

I read this on the RHN commentary respecting cve-2014-3566:


https://securityblog.redhat.com/2014/10/15/poodle-a-ssl3-vulnerability-cve-2014-3566/:

. . .
The first aspect of POODLE, the SSL 3.0 protocol vulnerability, has already
been fixed through iterative protocol improvements, leading to the current TLS
version, 1.2. It is simply not possible to address this in the context of the
SSL 3.0 protocol, a protocol upgrade to one of the successors is needed. Note
that TLS versions before 1.1 had similar padding-related vulnerabilities,
which is why we recommend to switch to TLS 1.1, at least. (SSL and TLS are
still quite similar as protocols, the name change has non-technical reasons.)
. . .

If run nmap to view the ciphers on a host running apache-2.2.15 I see this:

# nmap --script ssl-enum-ciphers -p 443 inet09

Starting Nmap 6.01 ( http://nmap.org ) at 2014-10-17 12:48 EDT
Nmap scan report for for x.y.z.a
Host is up (0.00034s latency).
rDNS record for x.y.z.a
PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   TLSv1.0
|     Ciphers (5)
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - unknown strength
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - unknown strength
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     Compressors (1)
|       NULL
|   TLSv1.1
|     Ciphers (5)
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - unknown strength
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - unknown strength
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     Compressors (1)
|       NULL
|   TLSv1.2
|     Ciphers (9)
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - unknown strength
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - unknown strength
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - unknown strength
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - unknown strength
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     Compressors (1)
|       NULL
|_  Least strength = unknown strength
. . .


If read the advisory aright then TLSv1.0 suffers from exactly the same flaw as
SSLv3.  So, how do I configure apache-2.2.15 to deny TLSv1.0 and keep service
TLSv1.1+?


-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

Thomas Eriksson

2014-Oct-17 17:38 UTC

head link

[CentOS] POODLE and TLSv1

On 10/17/2014 09:53 AM, James B. Byrne wrote:> 
> I read this on the RHN commentary respecting cve-2014-3566:
> 
> 
>
https://securityblog.redhat.com/2014/10/15/poodle-a-ssl3-vulnerability-cve-2014-3566/:
> 
...> 
> If read the advisory aright then TLSv1.0 suffers from exactly the same flaw
as
> SSLv3.  So, how do I configure apache-2.2.15 to deny TLSv1.0 and keep
service
> TLSv1.1+?
> 
> 
The same advisory recommends to use this config for 7 and 6.6 upwards

SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2

I guess you could try changing that to

SSLProtocol -All +TLSv1.1 +TLSv1.2

Don't know what you might break on the client side...

 - Thomas

Reasonably Related Threads

Search for more reasonably related threads

CentOS - Oct 2014 - POODLE and TLSv1

[CentOS] POODLE and TLSv1

[CentOS] POODLE and TLSv1

Reasonably Related Threads