Forum
SSL 3.0 (poodle) vulnerability?
Viren Patel
16 October 2014, 19:16
Hiawatha version: 9.8
Operating System: CentOS 5
Is Hiawatha 9.8 vulnerable to SSL 3.0 (Poodle) bug? Several tests (designed for Apache) return true on my websites. If so how to disable SSL 3.0? Thanks.
Hugo Leisink
16 October 2014, 19:18
No, SSL3.0 is disabled by default. Hiawatha is only vulnerable for this if you've explicitly enabled SSL3.0 via MinSSLversion = SSL3.0.
Viren
16 October 2014, 19:30
Thanks! Good to know! Is there a Hiawatha specific test to verify? My superiors will ask for this.
Hugo Leisink
16 October 2014, 19:59
Test your server: https://www.ssllabs.com/ssltest/index.html
Test your browser: https://www.poodletest.com/
Test your browser: https://www.poodletest.com/
David Oliver
16 October 2014, 23:26
Which version of Hiawatha disabled SSL3.0 by default? (I'm going to create new VPSes soon, anyway.)
SSL Labs tells me:
SSL Labs tells me:
This server uses SSL 3, with POODLE mitigated. Still, it's recommended that this protocol is disabled.
David Oliver
16 October 2014, 23:33
Sorry - never mind. I've just realised that 'MinSSLversion' is a main config file setting anyway, so I can update it easily enough.
Hugo Leisink
17 October 2014, 00:14
Default value for MinSSLversion is set to TLS1.0 since Hiawatha v9.4. The option is available since v8.6.
This topic has been closed.
Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.
Built upon the Banshee PHP framework.
