Poodle attack - SSLV3 Enabled
Tool to ---Test your website server is poodle free..poodle test?
https://www.ssllabs.com/ssltest/
Courtesy: http://en.wikipedia.org/wiki/POODLE
The POODLE attack (which stands for "Padding Oracle On Downgraded Legacy Encryption") is a man-in-the-middle exploit which takes advantage of Internet and security software clients'
Website and server should be poodle free, its vulnerable if we have SSLV3 policy protocol is enabled. One can disabled SSLV3 through regedit whereas in cloud we have to disable using startup script in Service definitions.
1. Add .cmd batch file in startup script of Role profile folder.
2. Give path of start up script in servicedefination configuration under task tag.
3. Keep the powershell file in root of website or webrole.
4. Ensure ps1 file is copy to content always. Right click on powershell file in solution VS and check property to enable this options.
Importantly!
Even after deployment your SSL scan test lab shows you C grade check for webseal or WAF (Web application firewall). In such case you may have to disable ssl in server that is acting as firewall. Check with your infrastructure team.
****Check any WAF environment. Web application Firewall behind which your azure web role may resides.
http://www.ideliverable.com/blog/making-iis-configuration-changes-in-a-web-role-startup-task
http://blogs.msdn.com/b/jimoneil/archive/2011/02/07/azure-startup-tasks-and-powershell-lessons-learned.aspx
http://www.dotnettwitter.com/2011/11/executing-powershell-script-with.html
http://stackoverflow.com/questions/15350936/running-powershell-from-azure-startup-task
http://stackoverflow.com/questions/28888768/adding-startup-script-to-azure-web-role-copy-to-output-directory-missing
http://www.troyhunt.com/2014/10/disabling-ssl-3-in-azure-websites-and.html
http://blogs.msdn.com/b/kaushal/archive/2014/10/22/poodle-vulnerability-padding-oracle-on-downgraded-legacy-encryption.aspx
Web servers
Apache
Nginx
Lighttpd
Tool to ---Test your website server is poodle free..poodle test?
https://www.ssllabs.com/ssltest/
Courtesy: http://en.wikipedia.org/wiki/POODLE
The POODLE attack (which stands for "Padding Oracle On Downgraded Legacy Encryption") is a man-in-the-middle exploit which takes advantage of Internet and security software clients'
Website and server should be poodle free, its vulnerable if we have SSLV3 policy protocol is enabled. One can disabled SSLV3 through regedit whereas in cloud we have to disable using startup script in Service definitions.
1. Add .cmd batch file in startup script of Role profile folder.
2. Give path of start up script in servicedefination configuration under task tag.
3. Keep the powershell file in root of website or webrole.
4. Ensure ps1 file is copy to content always. Right click on powershell file in solution VS and check property to enable this options.
Importantly!
Even after deployment your SSL scan test lab shows you C grade check for webseal or WAF (Web application firewall). In such case you may have to disable ssl in server that is acting as firewall. Check with your infrastructure team.
****Check any WAF environment. Web application Firewall behind which your azure web role may resides.
http://www.ideliverable.com/blog/making-iis-configuration-changes-in-a-web-role-startup-task
http://blogs.msdn.com/b/jimoneil/archive/2011/02/07/azure-startup-tasks-and-powershell-lessons-learned.aspx
http://www.dotnettwitter.com/2011/11/executing-powershell-script-with.html
http://stackoverflow.com/questions/15350936/running-powershell-from-azure-startup-task
http://stackoverflow.com/questions/28888768/adding-startup-script-to-azure-web-role-copy-to-output-directory-missing
http://www.troyhunt.com/2014/10/disabling-ssl-3-in-azure-websites-and.html
http://blogs.msdn.com/b/kaushal/archive/2014/10/22/poodle-vulnerability-padding-oracle-on-downgraded-legacy-encryption.aspx
Please engage the team who maintains these Linux box and follow document
below to disable SSL3.
Web servers
Apache
Put the following line in your configuration file, or
replace any existing line starting with
SSLProtocol:SSLProtocol All -SSLv2 -SSLv3
Then run:
sudo apache2ctl configtest
&& sudo service apache2 restart.
Don't forget to test your
website.
Nginx
Put the following line in your configuration file, or
replace any existing line starting with
ssl_protocols:ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Then restart the server (in Ubuntu:
sudo service nginx restart).
Don't forget to test your
website.
Lighttpd
Lighttpd releases before 1.4.28 allow you to disable
SSLv2 only.
If you are running at least 1.4.29, put the following
lines in your configuration file:
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
Then restart the server (in Ubuntu:
sudo service lighttpd restart).
Don't forget to test your
website.
No comments :
Post a Comment