1

So this is a relatively new problem.

My website is running on a Apache2 server deployed on an OPENSuse 10 Enterprise. As far as I've read there is a simple command line test:

 openssl s_client -connect mysite.com:443 -ssl3

Supposedly, if this returns "SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:" as output, among other things, SSLv3 is not supported and you're perfectly fine. And it does. So test comfirmed - I'm all good.

Here's the problem though, the guys at SSLLabs have their own test. Here's a link: https://www.ssllabs.com/ssltest/index.html . This test fails and says that I am, in fact, vulnerable because SSLv3 IS supported by my server.

So yea, two tests, completely opposite results. Which one do I trust? Are there any other tests? is there any way to be certain?

Cata Visan
  • 91
  • 2
  • 3
  • 13

2 Answers2

0

I would not rely on simply running tests, learn how to write SSL configurations and implement one which is secure, this includes making sure SSL3 is disabled at a server configuration level. Cipherli.st has a good list of premade SSL configurations which are secure,

mjsa
  • 4,221
  • 1
  • 25
  • 35
0

Do you really have OPENSuse 10 Enterprise? Are there still security updates available for the old version? Consider upgrading your operating system!

A test can only detect security holes it is looking for. So when you get a warning from a test, you should be annoyed and act. If you get no warning, the test just may just overlook a security hole. The test at SSLLabs is a good test suite.

Sir Cornflakes
  • 675
  • 13
  • 26