amuck-landowner

SSL vulnerability CVE-2014-3566

splitice

Just a little bit crazy...
Verified Provider
Unfortunately SSLv3 is the highest version of SSL supported in IE6. So by doing this you either restrict your site to IE7 or greater or do not provide SSL for IE6. In my books some SSL is better than no SSL even if said SSL is weakened due to this attack vector.

The best things to do:

- Upgrade your OpenSSL version to 1.0.1j, this prevent MITM connection downgrade attack vector (if the client supports it) on modern browsers.

- On nginx: Check $ssl_protocol == "SSLv3" and the useragent not regex:"MSIE [4-6]\.", display error in such a case
 

splitice

Just a little bit crazy...
Verified Provider
Just a quick update, heres some nginx config to do what I mentioned. I havent tested this as we are doing this in a different manner, but it should work.

Code:
if ($ssl_protocol = "SSLv3") {
        set $SSL_POODLE "2";
}
if ($http_user_agent !~ "MSIE [4-6]\.") {
        set $SSL_POODLE "1$SSL_POODLE";
}
if ($SSL_POODLE = "12") {
        return 481;
}
 
Last edited by a moderator:
Top
amuck-landowner