[openssl-dev] Poodle Vulnerable
Tomas Hoger
thoger at redhat.com
Thu Jan 29 15:01:27 UTC 2015
On Thu, 29 Jan 2015 06:33:13 +0000 Kannan Narayanasamy -X (kannanar -
HCL TECHNOLOGIES LIMITED at Cisco) wrote:
> For poodle vulnerability we have upgraded the openssl to 0.9.8zc
> version. But still result shows as vulnerable. (downloaded poodle.sh
> script from the link https://access.redhat.com/articles/1232123 to
> verify)
The script checks if a target server has SSL 3.0 enabled, i.e. the PO
part of POODLE. OpenSSL 0.9.8zc does not address that, it adds a
feature (TLS_FALLBACK_SCSV) to help mitigate/block the DLE part. The
script does not attempt to check if the server implements this fallback
protection.
--
Tomas Hoger
More information about the openssl-dev
mailing list