How to Test for the SSLv3 Poodle Vulnerability

You’ve probably heard about the ‘Poodle’ vulnerability, it’s been front page news on most tech new sites today. Poodle is the name that has been given to a vulnerability which is the result of a design flaw in a 17 year old protocol – SSL version 3.0. Unfortunately, SSLv3 is still supported by a number of commonly used applications.

It was discovered by researchers at Google and announced on Google’s online security blog, along with information posted to the OpenSSL project website (here’s a link to a HTML mirror of the announcement). It’s also been covered by many mainstream news sources.

This issue impacts both clients (such as your web browser) and server side applications (such as Apache, nginx, OpenVPN, Postfix etc.). As with any security issue, consult your vendor or project website for specific details, they will always have the latest information relevant to you. If you’re using a web hosting company, check their blog or news pages to see if they’re posted about it or get in touch with them to make sure you’re ok.

I’ve pulled together a few ways you can check if your client or server (for example your website) is vulnerable.

How to Test Your Server

There are a few ways to test if you’re vulnerable to this issue, here are few of the easiest I’ve found. You will need to run these from your shell/terminal:

SSLv3 Test Using cURL

curl -v3 -X HEAD https://www.example.com

Check the output, you want to see something similar to the following:

* SSL peer handshake failed

Rather than something like this:

* SSL 3.0 connection using SSL_NULL_WITH_NULL_NULL

Thanks to the participants of this thread for this info.

SSLv3 Test Using the OpenSSL Client

openssl s_client -connect example.com:443 -ssl3

If it connects you are most likely vulnerable, if it fails it is most likely disabled. Thanks to the participants of this thread for this info (this post is recommended reading). There are already several testing sites online listed below, I’ll update the list as I find other working tools.

Poodle Testing Sites

Testing for SSLv3 (Poodle)
A screenshot from https://www.poodletest.com/

 

Last Update: 16/10/2014

SHARE THIS POST