Categories
Elastix Support Security

SSLv3 Poodle and Elastix

Google has just disclosed SSL POODLE vulnerability which is a design flaw in SSLv3.  By default SSLv3 is enabled by default in Elastix and many other servers, Since it is a design flaw in the protocol itself and not an implementation bug, there will be no patches. Only way to mitigate this is to disable SSLv3 in your web server or application using SSL.

How to test for SSL POODLE vulnerability?

The following simple script will test, its a re-write of Redhats that would give a false negative if the script fails in anyway giving a false sense of security.

#!/bin/bash
chmod 755 /usr/share/doc/bash-3.2/scripts/timeout
ret=$(echo Q | /usr/share/doc/bash-3.2/scripts/timeout 5 openssl s_client -connect "127.0.0.1:${2-443}" -ssl3)
if echo "${ret}" | grep -q 'Protocol.*SSLv3'; then
 if echo "${ret}" | grep -q 'Cipher.*0000'; then
 echo "SSL 3.0 disabled"
 else
 echo "SSL 3.0 enabled"
 fi
else
 echo "SSL disabled or other error"
fi

The outputs will be similar to below on Elastix

[root@elastix24 ~]# ./sslv3.sh 
depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
verify error:num=10:certificate has expired
notAfter=Jun 15 18:30:20 2014 GMT
verify return:1
depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
notAfter=Jun 15 18:30:20 2014 GMT
verify return:1
DONE
SSL 3.0 enabled

As we can see its enabled.

Now edit the file  /etc/httpd/conf.d/ssl.conf

and change line 100 (in Elastix 2.4)

from SLProtocol all -SSLv2    to  SLProtocol all -SSLv2 -SSLv3

The restart the httpd service.

then test again and you should get

13033:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1086:SSL alert number 40
13033:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:
SSL disabled or other error

If you want to read the background here is the relevant document

Click to access ssl-poodle.pdf