You’ve probably heard about the ‘Poodle’ vulnerability, it’s been front page news on most tech new sites today. Poodle is the name that has been given to a vulnerability which is the result of a design flaw in a 17 year old protocol – SSL version 3.0. Unfortunately, SSLv3 is still supported by a number of commonly used applications.
It was discovered by researchers at Google and announced on Google’s online security blog, along with information posted to the OpenSSL project website (here’s a link to a HTML mirror of the announcement). It’s also been covered by many mainstream news sources.
Google discloses vulnerability in SSL web encryption technology http://t.co/TudgFeLcAt
— HuffPost Tech (@HuffPostTech) October 15, 2014
This issue impacts both clients (such as your web browser) and server side applications (such as Apache, nginx, OpenVPN, Postfix etc.). As with any security issue, consult your vendor or project website for specific details, they will always have the latest information relevant to you. If you’re using a web hosting company, check their blog or news pages to see if they’re posted about it or get in touch with them to make sure you’re ok.
I’ve pulled together a few ways you can check if your client or server (for example your website) is vulnerable.
How to Test Your Server
There are a few ways to test if you’re vulnerable to this issue, here are few of the easiest I’ve found. You will need to run these from your shell/terminal:
SSLv3 Test Using cURL
curl -v3 -X HEAD https://www.example.com
Check the output, you want to see something similar to the following:
* SSL peer handshake failed
Rather than something like this:
* SSL 3.0 connection using SSL_NULL_WITH_NULL_NULL
Thanks to the participants of this thread for this info.
SSLv3 Test Using the OpenSSL Client
openssl s_client -connect example.com:443 -ssl3
If it connects you are most likely vulnerable, if it fails it is most likely disabled. Thanks to the participants of this thread for this info (this post is recommended reading). There are already several testing sites online listed below, I’ll update the list as I find other working tools.
Poodle Testing Sites
- https://zmap.io/sslv3/ (client test)
- https://www.poodletest.com/ (client test – as shown below)
- http://poodlebleed.com/ (server test)
- https://www.ssllabs.com/ssltest/ (server test – scroll down to ‘configuration’)
Last Update: 16/10/2014