Skip to content

Instantly share code, notes, and snippets.

@santisaez
Last active August 29, 2015 14:07
Show Gist options
  • Save santisaez/fe9d3c53c08be8fdc77c to your computer and use it in GitHub Desktop.
Save santisaez/fe9d3c53c08be8fdc77c to your computer and use it in GitHub Desktop.
#poodle recap

#poodle recap

Enable SSL debug on Apache and check if your clients are using SSLv3, you will get the protocol+cipher used for each HTTPS request:

CustomLog /tmp/apache_ssl.log "%v %a %{SSL_PROTOCOL}x %{SSL_CIPHER}x"

Tip: see mod_ssl documentation if you need other SSL environment variables.

If possible, disable SSLv3 on the web server:

  • Apache: SSLProtocol All -SSLv3 -SSLv2
  • nginx: ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

Use external services to check and ensure SSLv3 is disabled:

ssl-enum-ciphers script for nmap can be used to discover valid SSLv3/TLS ciphers:

santisaez@ubuntu:~$ nmap --script ssl-enum-ciphers -p 443 twitter.com
(..)
PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   SSLv3: No supported ciphers found

Red Hat has published a script to check if SSLv3 is enabled using "openssl" client:

#!/bin/bash
ret=$(echo Q | timeout 5 openssl s_client -connect "${1-`hostname`}:${2-443}" -ssl3 2> /dev/null)
if echo "${ret}" | grep -q 'Protocol.*SSLv3'; then
  if echo "${ret}" | grep -q 'Cipher.*0000'; then
    echo "SSL 3.0 disabled"
  else
    echo "SSL 3.0 enabled"
 fi
else
  echo "SSL disabled or other error"
fi

Useful links:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment