Vulnerability scanners are always iffy when it comes to finding actual issues IMO. They're good for running a quick scan to get an overall feel for weaknesses, but the effectiveness varies from tool to tool (some only check versions, etc). I think that the best way to test if you're vulnerable to POODLE is to try and connect via SSLv3, as you've already done, or with s_client (openssl s_client -ssl3 -connect $HOST:$PORT). If that fails to connect, then you're good. As far as the TLS issues, TLSv1.0 is vulnerable to BEAST (https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-3389) so you may want to consider disabling CBC ciphers, or even upgrading to java7 if that's causing your audit to fail.
On Mon, Aug 8, 2016 at 2:31 PM, James H. H. Lampert <jam...@touchtonecorp.com> wrote: > Hmm. This is interesting. > > pentest-tools.com says that neither our server nor the customer server is > vulnerable to POODLE. > > But Site24x7.com says ours IS vulnerable to POODLE. Then (when I click "View > Result") it says it isn't. Then (when I actually run the test again) it once > again says it is. (I haven't tested the customer site because results are > posted on the test home page, which would compromise the customer's > privacy.) > > Some other POODLE test sites don't appear to work at all. Others say we're > not vulerable. > > Manually testing both servers with >> >> curl -v3 -X HEAD https://www.example.com > > from a BASH session on my Mac, as per > <http://chrisburgess.com.au/how-to-test-for-the-sslv3-poodle-vulnerability/> > > comes back with the desired "failed handshake" message on both servers. > > > -- > JHHL > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
