search

3-Round-Stones / callimachus

Callimachus is a highly scalable platform for creating and running data-driven websites
Other
95 stars 24 forks source link

Close SSL v3 POODLE Vulnerability #174

Closed prototypo closed 9 years ago

prototypo commented 9 years ago

Callimachus' SSL implementation is currently vulnerable to the SSL v3, TLS v1 POODLE vulnerability: https://www.openssl.org/~bodo/ssl-poodle.pdf

Close the vulnerability by disallowing SSL v3 and TLS v1 protocols entirely (even as downgraded options). Preferably, TLS 1.2 should be used.

catch-point commented 9 years ago

IE10 has TLSv1.1 and TLSv1.2 disabled by default. https://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers

prototypo commented 9 years ago

Sure, but so what? This is a server-side issue not just a browser one.

POODLE is exploited by tricking servers into downgrading their SSL or TLS to a vulnerable version through compatibility checking.

catch-point commented 9 years ago

If we disallow TLSv1, we will be excluding IE10 and below.

prototypo commented 9 years ago

This is the test to pass: https://www.ssllabs.com/ssltest/index.html

prototypo commented 9 years ago

Removing SSL v3 support is sufficient to close this issue.