Re: Blocking POODLE [SOLVED]
...at long last (but I don't understand everything--see below). On Sat, 2015-01-17 at 17:07 +0100, Andre Speelmans wrote: > > Thanks for the suggestion. Changing the min (and fallback-limit, > > because I didn't know what that did) to 10 does not cause a failure to > > connect. So either (a) the server change didn't take or (b) the browser > > change didn't take or (c) I need to do something else in the browser to > > force SSLv3. > > Test the browser with those setting against a server that you know has > no POODLE vulnerability? > It turns out, for reasons I haven't figured out, that changing the SSLProtocol line in /etc/httpd/conf.d/ssl.conf from SSLProtocol All -SSLv2 to SSLProtocol All -SSLv2 -SSLv3 doesn't seem to disable the SSLv3 protocol, as advertised. Instead, I had to add the second version to the configuration for one of my vhosts that supports https protocol. I put it below the line SSLEngine on inside the block and then it worked fine. Not sure why it doesn't work in ssl.mod or how I was supposed to figure it out, but at least now it's working. It occurs to me that this might be an issue with the order in which files in /etc/httpd/conf.d are read: the vhost file is alphabetically earlier than ssl.conf. If that's correct, then maybe those files should be named like the files in /etc/init.d, with prefix numbers to force an ordering on them? Thanks for the help. -- Matthew Saltzman Clemson University Math Sciences mjs AT clemson DOT edu -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Blocking POODLE
> Thanks for the suggestion. Changing the min (and fallback-limit, > because I didn't know what that did) to 10 does not cause a failure to > connect. So either (a) the server change didn't take or (b) the browser > change didn't take or (c) I need to do something else in the browser to > force SSLv3. Test the browser with those setting against a server that you know has no POODLE vulnerability? -- Best regards, André -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Blocking POODLE
On Fri, 2015-01-16 at 17:41 +0100, Andre Speelmans wrote: > On Fri, Jan 16, 2015 at 3:45 AM, Matthew Saltzman wrote: > > On Thu, 2015-01-15 at 19:09 +0100, Andre Speelmans wrote: > >> On Thu, Jan 15, 2015 at 3:40 AM, Matthew Saltzman wrote: > >> > SSLLabs reports a couple of servers of mine have SSL v3 enabled and are > >> > vulnerable to POODLE. I followed instructions for Apache httpd at > >> > https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/, > >> > but that does not seem to cure the problem. > >> > SSLLabs still reports the servers as vulnerable. Does anyone know what > >> > I'm missing? > >> > >> Given that you are on the university network, are you sure there is no > >> proxy in between and that SSLLabs is testing the proxy? > > > > Good question. One of the servers is actually outside the university > > firewall, so I *thinK* that's not an issue, at least for that machine. > > I'm pretty sure that machines on the campus network are behind a network > > firewall, but not behind a campus proxy. > > Perhaps a simple way to test it would be to disable TLS in your > browser and try connecting to them? As you are inside the campus > network, you would probably not hit a proxy and if you only accept SSL > and not TLS, the connection should fail. > In firefox I would set security.tls.version.min to 10 or so and see > what happens. Note: I have not actually tried it, but I think that > would do the trick. Thanks for the suggestion. Changing the min (and fallback-limit, because I didn't know what that did) to 10 does not cause a failure to connect. So either (a) the server change didn't take or (b) the browser change didn't take or (c) I need to do something else in the browser to force SSLv3. Still confused... -- Matthew Saltzman Clemson University Math Sciences mjs AT clemson DOT edu -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Blocking POODLE
On Fri, Jan 16, 2015 at 3:45 AM, Matthew Saltzman wrote: > On Thu, 2015-01-15 at 19:09 +0100, Andre Speelmans wrote: >> On Thu, Jan 15, 2015 at 3:40 AM, Matthew Saltzman wrote: >> > SSLLabs reports a couple of servers of mine have SSL v3 enabled and are >> > vulnerable to POODLE. I followed instructions for Apache httpd at >> > https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/, >> > but that does not seem to cure the problem. >> > SSLLabs still reports the servers as vulnerable. Does anyone know what >> > I'm missing? >> >> Given that you are on the university network, are you sure there is no >> proxy in between and that SSLLabs is testing the proxy? > > Good question. One of the servers is actually outside the university > firewall, so I *thinK* that's not an issue, at least for that machine. > I'm pretty sure that machines on the campus network are behind a network > firewall, but not behind a campus proxy. Perhaps a simple way to test it would be to disable TLS in your browser and try connecting to them? As you are inside the campus network, you would probably not hit a proxy and if you only accept SSL and not TLS, the connection should fail. In firefox I would set security.tls.version.min to 10 or so and see what happens. Note: I have not actually tried it, but I think that would do the trick. -- Best regard, André -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Blocking POODLE
On Thu, 2015-01-15 at 19:09 +0100, Andre Speelmans wrote: > On Thu, Jan 15, 2015 at 3:40 AM, Matthew Saltzman wrote: > > SSLLabs reports a couple of servers of mine have SSL v3 enabled and are > > vulnerable to POODLE. I followed instructions for Apache httpd at > > https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/, > > but that does not seem to cure the problem. > > SSLLabs still reports the servers as vulnerable. Does anyone know what I'm > > missing? > > Given that you are on the university network, are you sure there is no > proxy in between and that SSLLabs is testing the proxy? Good question. One of the servers is actually outside the university firewall, so I *thinK* that's not an issue, at least for that machine. I'm pretty sure that machines on the campus network are behind a network firewall, but not behind a campus proxy. -- Matthew Saltzman Clemson University Math Sciences mjs AT clemson DOT edu -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Blocking POODLE
On Thu, Jan 15, 2015 at 3:40 AM, Matthew Saltzman wrote: > SSLLabs reports a couple of servers of mine have SSL v3 enabled and are > vulnerable to POODLE. I followed instructions for Apache httpd at > https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/, > but that does not seem to cure the problem. > SSLLabs still reports the servers as vulnerable. Does anyone know what I'm > missing? Given that you are on the university network, are you sure there is no proxy in between and that SSLLabs is testing the proxy? -- Best regards, André -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Blocking POODLE
On Wed, 2015-01-14 at 22:39 -0700, Chris Murphy wrote: > On Wed, Jan 14, 2015 at 7:40 PM, Matthew Saltzman wrote: > > SSLLabs reports a couple of servers of mine have SSL v3 enabled and are > > vulnerable to POODLE. I followed instructions for Apache httpd at > > https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/, > > but that does not seem to cure the problem. SSLLabs still reports the > > servers as vulnerable. Does anyone know what I'm missing? > > > > The server also runs Trac and Subversion servers and a separate vhost > > runs Jenkins. Does something special need to be done for those > > services? > > > > (These are, in fact, RHEL 7 servers running httpd-2.2.15-39.el6.x86_64, > > but I hope someone here will know what's going on.) > > > RHEL servers have support from Red Hat, send an email or pick up the > phone. The patches between RHEL and Fedora are documented, but unless > someone actually knows the answer it's totally non-obvious how to > answer your question other than "yes I realize it's 2015, but here's > how you use a telephone..." > Well, this is a site license at a large university, so in order to get to RH support, I have to go through (sometimes not very responsive or helpful) institutional IT middlemen. So I thought I'd ask here first, in case the answer was simple and/or common across httpd versions, because sometimes folks on this list are generous and willing to help out in such cases. Sorry to bother you. -- Matthew Saltzman Clemson University Math Sciences mjs AT clemson DOT edu -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Blocking POODLE
On Wed, Jan 14, 2015 at 7:40 PM, Matthew Saltzman wrote: > SSLLabs reports a couple of servers of mine have SSL v3 enabled and are > vulnerable to POODLE. I followed instructions for Apache httpd at > https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/, > but that does not seem to cure the problem. SSLLabs still reports the > servers as vulnerable. Does anyone know what I'm missing? > > The server also runs Trac and Subversion servers and a separate vhost > runs Jenkins. Does something special need to be done for those > services? > > (These are, in fact, RHEL 7 servers running httpd-2.2.15-39.el6.x86_64, > but I hope someone here will know what's going on.) RHEL servers have support from Red Hat, send an email or pick up the phone. The patches between RHEL and Fedora are documented, but unless someone actually knows the answer it's totally non-obvious how to answer your question other than "yes I realize it's 2015, but here's how you use a telephone..." -- Chris Murphy -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org