Follow

Info: Venafi Trust Protection Platform and the Poodle Vulnerability

The Poodle Vulnerability (CVE-2014-3566) allows a man-in-the-middle attach to obtain cleartext data of certain information in an SSLv3.0 conversation.

Venafi TPP does not implement its own SSL functionality.  Instead, Venafi utilizes the functionality provided by the Windows operating system. The Poodle vulnerability is a flaw in the actual SSLv3.0 protocol, not a bug in the SSLv3.0 code, therefore there is no code to patch or fix. In order to prevent this flaw from being exploited, it is necessary to disable SSLv3.0 support in the operating system itself. 

Microsoft has published knowledge base article KB187498 documenting on how to disable SSLv3.0 (as well as other flawed protocols). The article can be found here: https://support.microsoft.com/kb/187498

Alternatively, the following PowerShell script can be used to disable SSLv2.0 and SSLv3.0 support in Windows. A restart might be required after running the script.

-----------------------------------------------------------------------------

$regPath1 = 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0'

$regPath2 = 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server'

$regPath3 = 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0'

$regPath4 = 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server'

 

If(!(Test-Path -Path $regPath1))

{

New-Item -Path $regPath1 -Force

}

If(!(Test-Path $regPath2))

{

New-Item -Path $regPath2 -Force

}

   New-ItemProperty -Path $regPath2 -Name DisabledByDefault -PropertyType DWORD -Value "1" -Force

   New-ItemProperty -Path $regPath2 -Name Enabled -PropertyType DWORD -Value "0" -Force 

 

If(!(Test-Path $regPath3))

{

New-Item -Path $regPath3 -Force

}

 

If(!(Test-Path $regPath4))

{

New-Item -Path $regPath4 -Force

}

   New-ItemProperty -Path $regPath4 -Name DisabledByDefault -PropertyType DWORD -Value "1" -Force

   New-ItemProperty -Path $regPath4 -Name Enabled -PropertyType DWORD -Value "0" -Force

 -----------------------------------------------------------------------------

After disabling SSLv2.0 / SSLv3.0, OpenSSL can be used to verify that it is no longer allowed:

openssl s_client -connect <yourhostname>:443 -ssl2

If the protocol is properly disabled, you should see an error indicating an "ssl handshake failure". If it is enabled, you will instead see the server's certificate information

Testing for SSLv3.0 support is similar:

openssl s_client -connect <yourhostname>:443 -ssl3

If the protocol is properly disabled, you should see an error indicating an "ssl handshake failure". If it is enabled, you will instead see the server's certificate information

Was this article helpful?
1 out of 1 found this helpful

Comments