Forum OpenACS CMS: "This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C."

Collapse
1: "This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C."
Posted by Vasily Sora on 11/13/18 08:26 PM
I ran the test that https://www.ssllabs.com offers. In short it says In short it says that the server is vulnerable to "POODLE attack". I looked in the config and it only has SSLV2 active, as far as I can tell. I wonder if this is some kind of false alarm or if not how to disabled SSLV3.
Collapse
2: Re: "This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C. MORE INFO" (response to 1)
Posted by Vasily Sora on 11/13/18 08:39 PM
This shows up in the terminal about the SSLV3

[13/Nov/2018:19:32:45][13128.7fbf435fe700][-driver:nsssl_v4:0-] Notice: SSL_shutdown has failed: error:1408F10B:SSL routines:SSL3_G T_RECORD:wrong version number

Collapse
3: Re: "This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C. MORE INFO" (response to 1)
Posted by Gustaf Neumann on 11/14/18 10:57 AM
It is not the case that with the default configuration only SSLv2 is active, but by the default configuration, only SSLv2 is disabled ... and SSLv3 should be disabled as well. The syntax, how this works is determined by OpenSSL (aside of the fact that the parameter has to be a proper quoting for Tcl). Just set the "protocols" parameter in the nsssl section to "!SSLv2:!SSLv3", which means: disable SSLv2 and SSLv3.

One should probably deactivate SSLv3 by default (with the cost, that some old SSL clients might fail). I will update the default configuration on bitbucket to the more secure setting.

The security rating of openacs.org (running NaviServer 4.99.17) is A+. You should be able to get the same.

-gn

[1] https://www.ssllabs.com/ssltest/analyze.html?d=openacs.org&s=2001%3a628%3a404%3a74%3a0%3a0%3a0%3a31&hideResults=on&latest