OpenSSL update to resolve SSL3 poodle issues

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • clm
    Senior Member
    Forum ExplorerTechnical AssociateSolutions DeveloperInnovation Contributor
    • Mar 2021
    • 259

    #1

    OpenSSL update to resolve SSL3 poodle issues

    Hello, OpenSSL has implemented the reccomeded way to deal with the SSLv3 poodle vulnerability : not removing sslv3 support but preventing up to date browers from being able to downgrade to SSL3 when both them and the server accept more secure protocols.



    Any chance of OpenSSL being patched or upgraded soon on Cloudlinux ?
  • iseletsk
    Senior Member
    • Dec 2017
    • 1199

    #2
    We will be following RHEL on that. Yet, from I have read on security mailing lists -- you are better of disabling SSLv3.

    Comment

    • clm
      Senior Member
      Forum ExplorerTechnical AssociateSolutions DeveloperInnovation Contributor
      • Mar 2021
      • 259

      #3
      We have disabled SSLv3 but some sites that enable SSL just for SEO prefer to remain compatible with IE6 and Firefox is rumoured to not use TLS on other ports than the default 443.

      Google recommends not disabeling SSLv3 as it is still better than no SSL but making it so a brower that is TLS compatible can be tricked into using SSLv3 thus making this vulnerability useless with a modern browser.

      Comment

      • clm
        Senior Member
        Forum ExplorerTechnical AssociateSolutions DeveloperInnovation Contributor
        • Mar 2021
        • 259

        #4
        Any news on integrating the fix pushed by redhat earlier today ?

        Comment

        • rkent
          Junior Member
          • Mar 2021
          • 1

          #5
          Any update on this?

          Comment

          • margueriteedward87
            Junior Member
            • Mar 2021
            • 1

            #6
            Is there any new updates sir??

            Thank you

            John T.

            Comment

            • skhristich
              Senior Member
              • Nov 2019
              • 595

              #7
              Hello John,
              Thank you for reaching out! There is no exact information yet, but if there is this update in CentOS 6 then it will also be in ClоudLinux. We will be following RHEL on that. Thanks.

              Comment

              • iraleksandrova1992+1
                Junior Member
                • Mar 2021
                • 1

                #8
                When OpenSSL is configured with no-ssl3 as a build option, servers could accept and complete a SSL 3.0 handshake, and clients could be configured to send them

                Comment

                • skhristich
                  Senior Member
                  • Nov 2019
                  • 595

                  #9
                  > When OpenSSL is configured with no-ssl3 as a build option, servers could accept and complete a SSL 3.0 handshake, and clients could be configured to send them.

                  Hello Stanko,
                  If you mean https://cve.mitre.org/cgi-bin/cvenam...=CVE-2014-3568 then СentOS 6 / CL 6 does not have this patch yet and on CentOS 7 / CL7 the version of OpenSSL that does not get into affected.
                  Thanks

                  Comment

                  • juniovid
                    Junior Member
                    • Sep 2022
                    • 1

                    #10
                    To avoid this vulnerability, Red Hat recommends disabling SSL and using only TLSv1.1 or TLSv1.2. Backwards compatibility can be achieved using TLSv1.0. Many products Red Hat supports have the ability to use SSLv2 or SSLv3 protocols, or enable them by default. However use of SSLv2 or SSLv3 is now strongly recommended against. vidmate.app saveinsta
                    Last edited by juniovid; 09-07-2022, 05:38 AM.

                    Comment

                    Working...