[openssl-dev] Poodle Vulnerable

Kannan Narayanasamy -X (kannanar - HCL TECHNOLOGIES LIMITED at Cisco) kannanar at cisco.com
Thu Jan 29 19:25:43 UTC 2015


Hi Thomas,

Thanks for the details. Is there any openssl version has the fix for this? Seems from openssl site they have pointed that the fix was in 0.9.8zc version. How to overcome this issue. 

Thanks,
Kannan Narayanasamy.

-----Original Message-----
From: Tomas Hoger [mailto:thoger at redhat.com] 
Sent: Thursday, January 29, 2015 8:31 PM
To: Kannan Narayanasamy -X (kannanar - HCL TECHNOLOGIES LIMITED at Cisco)
Cc: openssl-dev at openssl.org
Subject: Re: [openssl-dev] Poodle Vulnerable

On Thu, 29 Jan 2015 06:33:13 +0000 Kannan Narayanasamy -X (kannanar - HCL TECHNOLOGIES LIMITED at Cisco) wrote:

> For poodle vulnerability we have upgraded the openssl to 0.9.8zc 
> version. But still result shows as vulnerable. (downloaded poodle.sh 
> script from the link https://access.redhat.com/articles/1232123 to
> verify)

The script checks if a target server has SSL 3.0 enabled, i.e. the PO part of POODLE.  OpenSSL 0.9.8zc does not address that, it adds a feature (TLS_FALLBACK_SCSV) to help mitigate/block the DLE part.  The script does not attempt to check if the server implements this fallback protection.

--
Tomas Hoger


More information about the openssl-dev mailing list