Stack Overflow
Stack Overflow

Questions tagged [poodle-attack]

The POODLE (short for "Padding Oracle On Downgraded Legacy Encryption") attack is a man-in-the-middle exploit which takes advantage of web browsers' fallback to SSL 3.0.

The POODLE (short for "Padding Oracle On Downgraded Legacy Encryption") attack is a man-in-the-middle exploit which takes advantage of web s' fallback to 3.0 which was disclosed on September 2014.

Its CVE ID is CVE-2014-3566.

74 questions
1
vote
1 answer

How can I disable SSL3 on DB2?

Is there away to make DB2 not accept SSL3? I'm trying to secure couple of DB2 databases I have on couple of servers against the POODLE attack. I know you can do this through the Operating System itself, but my question is if I don't have control…
M. A. Kishawy
  • 5,001
  • 11
  • 47
  • 72
1
vote
1 answer

Self-Hosted Web API 2 (OWIN) & SSL 3 POODLE?

Was just wondering if self-hosted WebAPI applications are affected by the POODLE attack. We are using netsh to configure SSLCERT with our Web API 2 applications. Is there a way to disable SSLv3? Thanks.
qmo
  • 3,128
  • 3
  • 17
  • 23
1
vote
2 answers

ActiveMerchant Poodle patch for PayPal

I'm using Rails 3, ActiveMerchant 1.5.1 gem, and PayPal express. Since recently I can't get my payments work through PayPal, continue to receive this error OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:…
Misha Slyusarev
  • 1,353
  • 2
  • 18
  • 45
1
vote
2 answers

POODLE vulnerability, JBoss and IE

So, I have JBoss 5.1.0 GA, and I read about how I need to disable SSLv3 here: https://access.redhat.com/solutions/1232233 What was not mentioned here was that I also need to get rid of all ciphers that support falling back to SSLv3. When I did that,…
Zoran Trifunovski
  • 311
  • 4
  • 16
1
vote
1 answer

Apache Mina x Poodle bug

How do I disable ssl v3 support in apache mina SslFilter? https://mina.apache.org/
CelinHC
  • 1,857
  • 2
  • 27
  • 36
1
vote
2 answers

Rails omniauth facebook SSL handshake failure

My app has been running fine for months, and all of a sudden logging in just doesn't work, i get this: 2014-10-18T18:09:33.971670+00:00 app[web.1]: Faraday::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: sslv3 alert…
volk
  • 1,196
  • 1
  • 12
  • 31
1
vote
1 answer

How do I disable SSLv3 in Thin?

Is there a way to prevent Thin from accepting requests using SSLv3? I cannot find any resources on how to deal with Poodle for a Thin server running with SSL. I don't want to move thin behind nginx if I don't have to so any resources would be…
Danesh
  • 145
  • 7
0
votes
1 answer

Curl 7.21 prompt blocklist when trying to connect using sslv3

I am trying to collect traffic about sslv3 connection, & part of the program using curl. To enable sslv3 connection, Following are the version list: openssl 1.02k curl 7.21 ubuntu 14.04 However, it prompt me "blocklist" when I try to connect.…
Jack Huang
  • 1
  • 2
0
votes
1 answer

Why does POODLE Attack only affect after downgrading to SSL 3.0?

I'm wondering which changes from SSL 3.0 to TLS 1.0 exactly fixed the POODLE Attack. The Base for this Attack is the Messageblocks M1||MAC||PAD, so a whole Block is used for MAC and Padding. I have the Idea, that it doesn't work anymore (without…
John Doe
  • 45
  • 6
0
votes
0 answers

Modify and build OpenSSL source code

I want to build a special version of OpenSSL that doesn't check AES CBC padding properly. I am looking into source of OpenSSL 1.0.2g. Which files in the source directory, I should look for? I am trying to setup POODLE TLS vulnerable server, using…
bhushan5640
  • 181
  • 9
0
votes
1 answer

How to enable TLS instead of SSLv3 between Web Server and App Server (WebSphere 6.1)?

We have a web server (IBM HTTP Server 6.1) connected using HTTPS (using SSL certificates - SSLv3) to an application server (IBM WebSphere Application Server 6.1), the application that is hosted on the app server is not upgradable, so we cannot…
Ayhamov
  • 1
  • 1
  • 2
0
votes
1 answer

How to test sslv3 is enable in jetty 8 or not

My task is to disable sslv3 in my jetty-8-1-14. I went through this link: How to disable sslv3 in jetty8 But to change the code I need to check the current status of sslv3 for jetty8 server. Is there any command by which I can get whether the…
S. Das
  • 75
  • 3
  • 9
0
votes
1 answer

Turn off SSLv3 on JBoss AS 7.1.1

I have Spring MVC App running on JBoss AS 7.1.1. I need to turn off SSLv3 to protect against Poodle vulnerability. JBoss documentation at https://access.redhat.com/solutions/1232233 suggests I need to make sure that SSLv3 is not listed in the SSL…
aram063
  • 1,067
  • 13
  • 19
0
votes
2 answers

how to test POODLE vulnerability for Jboss 7AS

We were facing the POODLE vulnerability in Jboss 7AS and I am able to provide a fix to the same issue. By adding protocol="TLSv1,TLSv1.1,TLSv1.2" attribute to the ssl tag in standalone.xml. Source Now I didn't know how I can test it. Can someone…
SK.
  • 4,174
  • 4
  • 30
  • 48
0
votes
2 answers

Unable to disable SSLv3 on WSO2 Carbon 4.0.6

Due the possibility of Poodle Attack, I'm trying to disable the SSLv3 on WSO2 ESB-4.6.0. Following the oficial documentation: Open [product_home]/repository/conf/axis2/axis2.xml Find the transportReceiver configuration element for…
elias
  • 15,010
  • 4
  • 40
  • 65
1 2 3
4
5