{"id":1283,"date":"2014-10-20T08:42:15","date_gmt":"2014-10-20T08:42:15","guid":{"rendered":"http:\/\/178.62.237.127\/?p=1283"},"modified":"2014-10-24T23:28:49","modified_gmt":"2014-10-24T23:28:49","slug":"sslv3-poodle-and-elastix","status":"publish","type":"post","link":"https:\/\/www.cyber-cottage.co.uk\/?p=1283","title":{"rendered":"SSLv3 Poodle and Elastix"},"content":{"rendered":"

Google has just <\/span>disclosed<\/a><\/span> SSL POODLE vulnerability which is a design flaw in SSLv3. \u00a0By default SSLv3 is enabled by default in Elastix and many other servers, Since it is a design flaw in the protocol itself and not an implementation bug, there will be no patches. Only way to mitigate this is to disable SSLv3 in your web server or application using SSL.<\/p>\n

How to test for SSL POODLE vulnerability?<\/b><\/p>\n

The following simple script will test, its a re-write of Redhats that would give a false negative if the script fails in anyway giving a false sense of security.<\/p>\n

#!\/bin\/bash\r\nchmod 755 \/usr\/share\/doc\/bash-3.2\/scripts\/timeout\r\nret=$(echo Q | \/usr\/share\/doc\/bash-3.2\/scripts\/timeout 5 openssl s_client -connect \"127.0.0.1:${2-443}\" -ssl3)\r\nif echo \"${ret}\" | grep -q 'Protocol.*SSLv3'; then\r\n if echo \"${ret}\" | grep -q 'Cipher.*0000'; then\r\n echo \"SSL 3.0 disabled\"\r\n else\r\n echo \"SSL 3.0 enabled\"\r\n fi\r\nelse\r\n echo \"SSL disabled or other error\"\r\nfi<\/pre>\n
The outputs will be similar to below on Elastix<\/p>\n
[root@elastix24 ~]# .\/sslv3.sh \r\ndepth=0 \/C=--\/ST=SomeState\/L=SomeCity\/O=SomeOrganization\/OU=SomeOrganizationalUnit\/CN=localhost.localdomain\/emailAddress=root@localhost.localdomain\r\nverify error:num=18:self signed certificate\r\nverify return:1\r\ndepth=0 \/C=--\/ST=SomeState\/L=SomeCity\/O=SomeOrganization\/OU=SomeOrganizationalUnit\/CN=localhost.localdomain\/emailAddress=root@localhost.localdomain\r\nverify error:num=10:certificate has expired\r\nnotAfter=Jun 15 18:30:20 2014 GMT\r\nverify return:1\r\ndepth=0 \/C=--\/ST=SomeState\/L=SomeCity\/O=SomeOrganization\/OU=SomeOrganizationalUnit\/CN=localhost.localdomain\/emailAddress=root@localhost.localdomain\r\nnotAfter=Jun 15 18:30:20 2014 GMT\r\nverify return:1\r\nDONE\r\nSSL 3.0 enabled<\/pre>\n
As we can see its enabled.<\/p>\n
Now edit the file \u00a0\/etc\/httpd\/conf.d\/ssl.conf<\/p>\n
and change line 100 (in Elastix 2.4)<\/p>\n
from SLProtocol all -SSLv2<\/strong><\/em> \u00a0 \u00a0to \u00a0SLProtocol all -SSLv2 -SSLv3<\/strong><\/em><\/p>\n
The restart the httpd service.<\/p>\n
then test again and you should get<\/p>\n
13033:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1086:SSL alert number 40\r\n13033:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:\r\nSSL disabled or other error<\/pre>\n
If you want to read the background here is the relevant document<\/p>\n
Click to access ssl-poodle.pdf<\/a><\/p>\n
<\/div>\n","protected":false},"excerpt":{"rendered":"
Google has just disclosed SSL POODLE vulnerability which is a design flaw in SSLv3. \u00a0By default SSLv3 is enabled by default in Elastix and many other servers, Since it is a design flaw in the protocol itself and not an implementation bug, there will be no patches. Only way to mitigate this is to disable […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"content-type":"","advanced_seo_description":"","jetpack_seo_html_title":"","jetpack_seo_noindex":false,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[89,82],"tags":[23,35,40,51,68,76,77],"class_list":["post-1283","post","type-post","status-publish","format-standard","hentry","category-elxsupport","category-security-knowledge","tag-asterisk","tag-elastix","tag-freepbx","tag-linux","tag-security","tag-voip","tag-xorcom"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p5daZy-kH","jetpack_sharing_enabled":true,"jetpack_likes_enabled":false,"jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/www.cyber-cottage.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/1283","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cyber-cottage.co.uk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cyber-cottage.co.uk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cyber-cottage.co.uk\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cyber-cottage.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1283"}],"version-history":[{"count":1,"href":"https:\/\/www.cyber-cottage.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/1283\/revisions"}],"predecessor-version":[{"id":1284,"href":"https:\/\/www.cyber-cottage.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/1283\/revisions\/1284"}],"wp:attachment":[{"href":"https:\/\/www.cyber-cottage.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1283"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cyber-cottage.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1283"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cyber-cottage.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1283"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}