Announcement

Collapse
No announcement yet.

OpenSSL update to resolve SSL3 poodle issues

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • OpenSSL update to resolve SSL3 poodle issues

    Hello, OpenSSL has implemented the reccomeded way to deal with the SSLv3 poodle vulnerability : not removing sslv3 support but preventing up to date browers from being able to downgrade to SSL3 when both them and the server accept more secure protocols.

    https://www.openssl.org/news/secadv_20141015.txt

    Any chance of OpenSSL being patched or upgraded soon on Cloudlinux ?

  • #2
    We will be following RHEL on that. Yet, from I have read on security mailing lists -- you are better of disabling SSLv3.

    Comment


    • #3
      We have disabled SSLv3 but some sites that enable SSL just for SEO prefer to remain compatible with IE6 and Firefox is rumoured to not use TLS on other ports than the default 443.

      Google recommends not disabeling SSLv3 as it is still better than no SSL but making it so a brower that is TLS compatible can be tricked into using SSLv3 thus making this vulnerability useless with a modern browser.

      Comment


      • #4
        Any news on integrating the fix pushed by redhat earlier today ?

        Comment


        • #5
          Any update on this?

          Comment


          • #6
            Is there any new updates sir??

            Thank you

            John T.

            Comment


            • #7
              Hello John,
              Thank you for reaching out! There is no exact information yet, but if there is this update in CentOS 6 then it will also be in ClоudLinux. We will be following RHEL on that. Thanks.

              Comment


              • #8
                When OpenSSL is configured with no-ssl3 as a build option, servers could accept and complete a SSL 3.0 handshake, and clients could be configured to send them

                Comment


                • #9
                  > When OpenSSL is configured with no-ssl3 as a build option, servers could accept and complete a SSL 3.0 handshake, and clients could be configured to send them.

                  Hello Stanko,
                  If you mean https://cve.mitre.org/cgi-bin/cvenam...=CVE-2014-3568 then СentOS 6 / CL 6 does not have this patch yet and on CentOS 7 / CL7 the version of OpenSSL that does not get into affected.
                  Thanks

                  Comment


                  • #10
                    To avoid this vulnerability, Red Hat recommends disabling SSL and using only TLSv1.1 or TLSv1.2. Backwards compatibility can be achieved using TLSv1.0. Many products Red Hat supports have the ability to use SSLv2 or SSLv3 protocols, or enable them by default. However use of SSLv2 or SSLv3 is now strongly recommended against. vidmate.app saveinsta
                    Last edited by juniovid; 09-07-2022, 05:38 AM.

                    Comment

                    Working...
                    X