[openssl-dev] Openssl Poodle Vulnerability Clarification

Kannan Narayanasamy -X (kannanar - HCL TECHNOLOGIES LIMITED at Cisco) kannanar at cisco.com
Sat Jul 4 19:02:50 UTC 2015 

Hi Joy,

Thanks for the steps. I have tried with exclusion option(Command used:  ./config no-idea no-ssl3 shared --prefix=/Openssl-1/) and getting the below error while executing the make test command.

Error1:

The following command should have some OK's and some failures
There are definitly a few expired certificates
../util/shlib_wrap.sh ../apps/openssl verify -CApath ../certs ../certs/*.pem
Error opening certificate file ../certs/*.pem
11852:error:02001002:system library:fopen:No such file or directory:bss_file.c:356:fopen('../certs/*.pem','r')
11852:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:358:
unable to load certificate
Generate a set of DH parameters

Error2:
SSLv2, cipher SSLv2 DES-CBC3-MD5, 1024 bit RSA
1 handshakes of 256 bytes done
Testing ciphersuites
Testing ciphersuites for SSLv3
Error in cipher list
12621:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1223:
dh
test tls1 with 1024bit anonymous DH, multiple handshakes
Available compression methods:
  NONE
ERROR in CLIENT
12647:error:140650B5:SSL routines:CLIENT_HELLO:no ciphers available:s2_clnt.c:575:
ERROR in CLIENT
12647:error:140650B5:SSL routines:CLIENT_HELLO:no ciphers available:s2_clnt.c:575:
ERROR in CLIENT
12647:error:140650B5:SSL routines:CLIENT_HELLO:no ciphers available:s2_clnt.c:575:
ERROR in CLIENT
12647:error:140650B5:SSL routines:CLIENT_HELLO:no ciphers available:s2_clnt.c:575:
ERROR in CLIENT
12647:error:140650B5:SSL routines:CLIENT_HELLO:no ciphers available:s2_clnt.c:575:
ERROR in CLIENT
12647:error:140650B5:SSL routines:CLIENT_HELLO:no ciphers available:s2_clnt.c:575:
ERROR in CLIENT


Thanks,
Kannan Narayanasamy.

-----Original Message-----
From: openssl-dev [mailto:openssl-dev-bounces at openssl.org] On Behalf Of Joey Yandle
Sent: Thursday, June 25, 2015 2:52 AM
To: openssl-dev at openssl.org
Subject: Re: [openssl-dev] Openssl Poodle Vulnerability Clarification

The config script takes no-ssl2 and no-ssl3 args:

./config no-ssl2 no-ssl3 ...


On 06/24/2015 11:57 AM, Kannan Narayanasamy -X (kannanar - HCL TECHNOLOGIES LIMITED at Cisco) wrote:
> Hi Kurt,
>
> Thanks for the details. Syslog process is based on Java and disabling SSLv3 is not possible with that. We have tried to compile openssl with SSLv3 disabled but it didn't help. Can you share the steps if you have to disable via openssl compilation.
>
> Thanks,
> Kannan Narayanasamy.
>
>
> -----Original Message-----
> From: openssl-dev [mailto:openssl-dev-bounces at openssl.org] On Behalf 
> Of Kurt Roeckx
> Sent: Friday, June 12, 2015 3:37 AM
> To: openssl-dev at openssl.org
> Subject: Re: [openssl-dev] Openssl Poodle Vulnerability Clarification
>
> On Thu, Jun 11, 2015 at 09:43:24PM +0000, Kannan Narayanasamy -X (kannanar - HCL TECHNOLOGIES LIMITED at Cisco) wrote:
>> Hi All,
>>
>> To resolve openSSL POODLE vulnerability we need to disable the SSLv3. In our application we have using openSSL through Apache. We have disabled using the below lines.
>>
>> SSLProtocol all -SSLv2 -SSLv3
>>
>> We are using 443 as SSL port. The command openssl s_client -connect <IPAddress>:443 -ssl3 shows the handshake failure message for 443 port. But for the ports 3333 and 4444 is connecting using SSLv3. The scanner as well report the high severity risk for those ports. In our application we are using those ports for syslog related tasks. If we change the port some other, then the scanner shows the new port in the list.
>>
>> How to disable the SSLv3 connection for those ports as well since may customers are waiting for the fix. Your suggestion is much appreciated.
>
> There are 2 solutions:
> - Change the configuration of syslog to disable SSLv3.  Not sure
>    it can actually be configured.
> - Build your openssl with SSLv3 disabled.
>
>
> Kurt
>
> _______________________________________________
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
> _______________________________________________
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

More information about the openssl-dev mailing list