There has been a good deal written about the SSL 3.0 POODLE vulnerability today. SSL 3.0 is nearly 15 years old and, as it turns out, not very secure. The most definitive description of the issues with SSL 3.0 was
written by Google researchers and can be found here. The official description of the
vulnerability, CVE-2014-3566, is located here.
While the researchers at Google did a nice job of explaining
the risk and suggesting some alternatives (like disabling SSL 3.0), they left
determining whether or not your server is vulnerable as an exercise for the
reader. If you manage a single site, you
can visit this site from Symantec to run a quick
test online.
However, if you manage an entire data center or a corporate
intranet, the problem is a little harder.
Never fear, though, because I used my lunch hour to solve the problem
for you. Take a look at this project.
The first script, ssl3_cipher_check.sh, checks a single
target for the presence of SSL 3.0 support.
The results will be similar to the following:
# ssl3_cipher_check.sh 192.168.1.51 443
Testing 192.168.1.51:443 for support of SSL3.0 ciphers...
YES - SSL 3.0 support detected on 192.168.1.51:443
The second script, ssl3_scan.sh, allows you to test an
entire network range. Using a network
range specified in CIDR notation or a format compatible with nmap, the script
detects and checks the standard and alternate ports commonly used for HTTPS on
all hosts in the network range. Results
will be similar to the following:
# ./ssl3_scan.sh 192.168.1.0/24
Beginning test... please be patient...
192.168.1.17:443 - SSL3.0 NOT supported
192.168.1.35:443 - SSL3.0 NOT supported
192.168.1.34:443 - SSL3.0 NOT supported
192.168.1.51:443 - SSL3.0 supported
192.168.1.58:443 - SSL3.0 supported
How you decide to mitigate the risk is on you. Happy testing! ;-)
October 20 Update: Patches are available from OpenSSL.org and are described here.
October 20 Update: Patches are available from OpenSSL.org and are described here.
