The Poodle Vulnerability (CVE-2014-3566) allows a man-in-the-middle attach to obtain cleartext data of certain information in an SSLv3.0 conversation.
Venafi TPP does not implement its own SSL functionality. Instead, Venafi utilizes the functionality provided by the Windows operating system. The Poodle vulnerability is a flaw in the actual SSLv3.0 protocol, not a bug in the SSLv3.0 code, therefore there is no code to patch or fix. In order to prevent this flaw from being exploited, it is necessary to disable SSLv3.0 support in the operating system itself.
Microsoft has published knowledge base article KB187498 documenting on how to disable SSLv3.0 (as well as other flawed protocols). The article can be found here: https://support.microsoft.com/kb/187498.
Alternatively, the following PowerShell script can be used to disable SSLv2.0 and SSLv3.0 support in Windows. A restart might be required after running the script.
-----------------------------------------------------------------------------
$regPath1 = 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0'
$regPath2 = 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server'
$regPath3 = 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0'
$regPath4 = 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server'
If(!(Test-Path -Path $regPath1))
{
New-Item -Path $regPath1 -Force
}
If(!(Test-Path $regPath2))
{
New-Item -Path $regPath2 -Force
}
New-ItemProperty -Path $regPath2 -Name DisabledByDefault -PropertyType DWORD -Value "1" -Force
New-ItemProperty -Path $regPath2 -Name Enabled -PropertyType DWORD -Value "0" -Force
If(!(Test-Path $regPath3))
{
New-Item -Path $regPath3 -Force
}
If(!(Test-Path $regPath4))
{
New-Item -Path $regPath4 -Force
}
New-ItemProperty -Path $regPath4 -Name DisabledByDefault -PropertyType DWORD -Value "1" -Force
New-ItemProperty -Path $regPath4 -Name Enabled -PropertyType DWORD -Value "0" -Force
-----------------------------------------------------------------------------
After disabling SSLv2.0 / SSLv3.0, OpenSSL can be used to verify that it is no longer allowed:
openssl s_client -connect <yourhostname>:443 -ssl2
If the protocol is properly disabled, you should see an error indicating an "ssl handshake failure". If it is enabled, you will instead see the server's certificate information
Testing for SSLv3.0 support is similar:
openssl s_client -connect <yourhostname>:443 -ssl3
If the protocol is properly disabled, you should see an error indicating an "ssl handshake failure". If it is enabled, you will instead see the server's certificate information
Comments