[openssl-dev] Poodle Vulnerable
Kurt Roeckx
kurt at roeckx.be
Thu Jan 29 20:26:33 UTC 2015
On Thu, Jan 29, 2015 at 07:28:45PM +0000, Salz, Rich wrote:
> You are misunderstanding him.
>
> The version you have is patched. The "poodle detection" script you are using is buggy.
Just to clarify, poodle is something that can not be fixed in
SSLv3. If you allow SSLv3 you are affected by poodle. The only
way to really fix the poodle problem is by not allowing SSLv3.
The patch in the various branches does not fix the poodle problem,
it just tries to prevent it. It adds a way to detect a downgrade
attack. The most likely way poolde would be exploited is by doing
a downgrade attack from TLS to SSLv3. There is a mitigation added
in case of a fallback from a higher to a lower SSL/TLS version by
the client. If both sides support this mitigation you can detect
a downgrade attack and prevent the poodle attack. If the client
does not support this mitigation you're still vulnerable.
Just disable SSLv3.
Kurt
More information about the openssl-dev
mailing list