-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
James,
On 8/9/16 12:36 PM, James H. H. Lampert wrote:
> On 8/9/16, 9:25 AM, Christopher Schultz wrote:
>> There /is/ a POODLE variation which is against TLS 1.0 - 1.2 [1].
>> If SSLv3 is completely disabled (TLS1.0 is okay), then you
>> aren't vulne
On 8/9/16, 9:25 AM, Christopher Schultz wrote:
There /is/ a POODLE variation which is against TLS 1.0 - 1.2 [1]. If
SSLv3 is completely disabled (TLS1.0 is okay), then you aren't
vulnerable to "classic" POODLE. If you aren't using CBC-based cipher
suites with TLS1.0 - TLS1.2, then you should be o
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
James,
On 8/8/16 2:31 PM, James H. H. Lampert wrote:
> Hmm. This is interesting.
>
> pentest-tools.com says that neither our server nor the customer
> server is vulnerable to POODLE.
>
> But Site24x7.com says ours IS vulnerable to POODLE. Then (wh
Vulnerability scanners are always iffy when it comes to finding actual
issues IMO. They're good for running a quick scan to get an overall
feel for weaknesses, but the effectiveness varies from tool to tool
(some only check versions, etc). I think that the best way to test if
you're vulnerable to P
Hmm. This is interesting.
pentest-tools.com says that neither our server nor the customer server
is vulnerable to POODLE.
But Site24x7.com says ours IS vulnerable to POODLE. Then (when I click
"View Result") it says it isn't. Then (when I actually run the test
again) it once again says it is
On 8/8/16, 10:32 AM, Coty Sutherland wrote:
So you've already mitigated POODLE and the scanner is just
complaining about your TLS version.
Or SSLLabs isn't actually checking to see if it can connect via SSLv3:
At present, SSL Labs has the following limitations:
In general, cipher suite suppor
So you've already mitigated POODLE and the scanner is just complaining
about your TLS version. Unfortunately, TLSv1.0 is the only TLS
protocol version available on java6, unless your on u111 (from
https://blogs.oracle.com/java-platform-group/entry/diagnosing_tls_ssl_and_https).
If you need TLSv1.2,
On 8/8/16, 9:59 AM, Coty Sutherland wrote:
To mitigate POODLE you must disable SSLv3 and only use TLS. Please
visit the wiki page for more info:
https://wiki.apache.org/tomcat/Security/POODLE
Actually, I found that on my own, only a few minutes after I posted my
question.
So would the existi
> Except for one. It seems that whoever is doing the customer's security audit
> is concerned with POODLE vulnerability.
To mitigate POODLE you must disable SSLv3 and only use TLS. Please
visit the wiki page for more info:
https://wiki.apache.org/tomcat/Security/POODLE
On Mon, Aug 8, 2016 at 12:
On 7/27/16, 11:59 AM, Mark Thomas wrote:
ciphers="SSL_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA"
Ladies and Gentlemen:
Thanks, Mark; that raises the SSLLabs rating from "F" to "C," and seems
to have dealt with most of the concerns raised by the customer.
Except for one. It seem
10 matches
Mail list logo
