16 Oct
2014
16 Oct
'14
11:34 a.m.
Hi,
By now you have probably been made aware of a security deficiency in
the design of SSL 3.0 which has been dubbed "POODLE". Here's some
more info:
http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploi…
I am writing to you because, unless this script is flawed:
https://gist.github.com/bitfolk/18e8f48ebe937e802967
then there are over 150 customer IPs at BitFolk that are still
supporting SSLv3 on port 443.
I don't intend to open tickets with individual customers and nag
until this is fixed, because it's very time-consuming to do that.
To check if your server needs reconfiguring:
https://www.tinfoilsecurity.com/poodle
To disable SSLv3 on Apache newer than 2.2:
Add "-SSLv3" to the end of the "SSLProtocol" line which can
normally be found in /etc/apache2/mods-available/ssl.conf on
Debian and Ubuntu.
On Apache 2.2 or older:
You'll need to use "SSLProtocol TLSv1"
Nginx:
Make sure that the "ssl_protocols" line does not contain the
string "SSLv3". e.g.:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
is good.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
16 Oct
16 Oct
11:41 a.m.
New subject: SSL POODLE (CVE-2014-3566) vulnerabilities amongst the customer base
On 16/10/2014 12:34, Andy Smith wrote:
On Apache 2.2 or older:
You'll need to use "SSLProtocol TLSv1"
The 2.2 that comes with RHEL/CentOS 5.x supports "-SSLv3" (but they do
backport things from newer versions sometimes).
ssl.conf lives in /etc/httpd/conf.d/ on CentOS/RHEL.
Mike
12:02 p.m.
New subject: SSL POODLE (CVE-2014-3566) vulnerabilities amongst the customer base
Hello,
On Thu, Oct 16, 2014 at 12:41:33PM +0100, Mike Zanker wrote:
On 16/10/2014 12:34, Andy Smith wrote:
It's possible I should have said "older than 2.2". Or it might be
some other version cut-off, not sure! If one doesn't work the other
should, anyway. :)
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
On Apache 2.2 or older:
You'll need to use "SSLProtocol TLSv1"
The 2.2 that comes with RHEL/CentOS 5.x supports "-SSLv3" (but they
do backport things from newer versions sometimes).
12:01 p.m.
New subject: SSL POODLE (CVE-2014-3566) vulnerabilities amongst the customer base
Hi,
On Thu, Oct 16, 2014 at 11:34:04AM +0000, Andy Smith wrote:
http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploi…
I am writing to you because,
This email went to everyone on the announce@ list by the way.
My conversational tone was probably a mistake as it lead some to
believe that they were receiving the email because their IP
address(es) are known to support SSLv3. This is not the case.
Everyone got the email. You should check if you haven't already.
As I say I'm not intending to follow up with individuals over this.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
2:29 p.m.
New subject: SSL POODLE (CVE-2014-3566) vulnerabilities amongst the customer base
Andy said:
there are over 150 customer IPs at BitFolk that are
still
supporting SSLv3 on port 443.
A reminder that your webserver may not be the only thing listening out
for https connections on some port or other.
By default Webmin uses 10000 and if you use it..
.. check https://yourdomain.whatever:10000 and you'll see it'll accept
SSLv3.
The current fix is to add
ssl_version=10
to /etc/webmin/miniserv.conf and then restart webmin but that may
enforce TLSv1 rather than allowing any other TLS version (the
documentation of the SSLeay library doesn't make that clear).
Doubtless (?) there will be a proper fix soon.
cPanel and other such software almost certainly has a similar issue
and fix.
Ian
9:23 p.m.
New subject: SSL POODLE (CVE-2014-3566) vulnerabilities amongst the customer base
Interesting. I applied the fixes that Andy suggested, restated everything,
then tested at the address https://www.tinfoilsecurity.com/poodle It said
still a problem, so I downloaded the script at
https://gist.github.com/bitfolk/18e8f48ebe937e802967 and ran that and it
said all OK. on both VPS. Debian has now produced a security update to add
support for Fallback SCSV to help mitigate the problem
On 16 October 2014 12:34, Andy Smith <andy(a)bitfolk.com> wrote:
Hi,
By now you have probably been made aware of a security deficiency in
the design of SSL 3.0 which has been dubbed "POODLE". Here's some
more info:
http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploi…
I am writing to you because, unless this script is flawed:
https://gist.github.com/bitfolk/18e8f48ebe937e802967
then there are over 150 customer IPs at BitFolk that are still
supporting SSLv3 on port 443.
I don't intend to open tickets with individual customers and nag
until this is fixed, because it's very time-consuming to do that.
To check if your server needs reconfiguring:
https://www.tinfoilsecurity.com/poodle
To disable SSLv3 on Apache newer than 2.2:
Add "-SSLv3" to the end of the "SSLProtocol" line which can
normally be found in /etc/apache2/mods-available/ssl.conf on
Debian and Ubuntu.
On Apache 2.2 or older:
You'll need to use "SSLProtocol TLSv1"
Nginx:
Make sure that the "ssl_protocols" line does not contain the
string "SSLv3". e.g.:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
is good.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
--
Keith Williams
FCLT magazine http://issuu.com/fcltmagazine/docs/fclt_september_2014_issue_1
Farang Can Learn Thai www.farangcanlearnthai.com
Keith's Place www.keiths-place.co.uk
Tailor Made English www.tmenglish.org
West Norfolk RSPCA www.westnorfolkrspca.org.uk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEAREDAAYFAlQ/rSwACgkQIJm2TL8VSQv8IwCfZa8X8H+RjGxAOusfgcn3ZSar
J8IAoJbggsoEy1cuSApgf9rZa6mIQQjw
=CWAi
-----END PGP SIGNATURE-----
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
10:45 p.m.
New subject: SSL POODLE (CVE-2014-3566) vulnerabilities amongst the customer base
Keith Williams said:
Debian has now produced a security update
to add support for Fallback SCSV to help mitigate the problem
As with at least some of the heartbleed fix releases, the updated
package for openssl doesn't restart every service that uses it.
lsof -n | grep ssl | grep DEL
.. will list those still running the old version and needing to be
restarted.
For me, that list included apache2, postfix, opendkim, bind9, webmin and
fail2ban.
Ian
17 Oct
17 Oct
12:23 a.m.
New subject: SSL POODLE (CVE-2014-3566) vulnerabilities amongst the customer base
On Thu, Oct 16, 2014 at 11:45:18PM +0100, Ian wrote:
Keith Williams said:
You can also use "checkrestart" from debian-goodies that will tell you what is
needed and the init script for each service (sometimes it fails to find the init
script, but sometimes).
Thanks a lot,
Rodrigo
Debian has now produced a security update
to add support for Fallback SCSV to help mitigate the problem
As with at least some of the heartbleed fix releases, the updated
package for openssl doesn't restart every service that uses it.
lsof -n | grep ssl | grep DEL
9 Dec
9 Dec
7:39 p.m.
New subject: SSL POODLE (CVE-2014-3566) vulnerabilities amongst the customer base
Hello,
On Thu, Oct 16, 2014 at 11:34:04AM +0000, Andy Smith wrote:
By now you have probably been made aware of a security
deficiency in
the design of SSL 3.0 which has been dubbed "POODLE". Here's some
more info:
http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploi…
I am writing to you because, unless this script is flawed:
https://gist.github.com/bitfolk/18e8f48ebe937e802967
then there are over 150 customer IPs at BitFolk that are still
supporting SSLv3 on port 443.
ShadowServer have started reporting on this now, and their latest
report still shows 79 IPs in BitFolk's customer IP space that are
vulnerable to SSLv3/Poodle.
I still don't want to be opening tickets with people individually
over this so unless there is an outrage against the idea then I'm
thinking of just posting next Tuesday's report here. It only takes a
few seconds to scan all of BitFolk's IP space anyway and there are
multiple scripts published to do so (including the one linked
above).
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
8 p.m.
New subject: SSL POODLE (CVE-2014-3566) vulnerabilities amongst the customer base
** Andy Smith <andy(a)bitfolk.com> [2014-12-09 19:40]:
On Thu, Oct 16, 2014 at 11:34:04AM +0000, Andy Smith
wrote:
** end quote [Andy Smith]
Fine by me, but then mine checks out :) I've now just to to remember to make
sure I'm still OK when I finally get round to migrating from Apache to Nginx.
--
Paul Tansom | Aptanet Ltd. | http://www.aptanet.com/ | 023 9238 0001
=============================================================================
Registered in England | Company No: 4905028 | Registered Office: Ralls House,
Parklands Business Park, Forrest Road, Denmead, Waterlooville, Hants, PO7 6XP
By now you have probably been made aware of a
security deficiency in
the design of SSL 3.0 which has been dubbed "POODLE". Here's some
more info:
http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploi…
I am writing to you because, unless this script is flawed:
https://gist.github.com/bitfolk/18e8f48ebe937e802967
then there are over 150 customer IPs at BitFolk that are still
supporting SSLv3 on port 443.
ShadowServer have started reporting on this now, and their latest
report still shows 79 IPs in BitFolk's customer IP space that are
vulnerable to SSLv3/Poodle.
I still don't want to be opening tickets with people individually
over this so unless there is an outrage against the idea then I'm
thinking of just posting next Tuesday's report here. It only takes a
few seconds to scan all of BitFolk's IP space anyway and there are
multiple scripts published to do so (including the one linked
above). 
10 Dec
10 Dec
12:01 p.m.
New subject: SSL POODLE (CVE-2014-3566) vulnerabilities amongst the customer base
[Oops, this went to Paul only to begin with, apologies]
On 09/12/14 20:00, Paul Tansom wrote:
** Andy Smith <andy(a)bitfolk.com> [2014-12-09
19:40]:
+1, but then the people that haven't sorted it out yet probably
don't pay too much attention to what's posted on the mailing
lists either.
Andy, it's your trainset, do what you think is best.
I still don't want to be opening tickets with
people individually
over this so unless there is an outrage against the idea then I'm
thinking of just posting next Tuesday's report here. It only takes a
few seconds to scan all of BitFolk's IP space anyway and there are
multiple scripts published to do so (including the one linked
above).
** end quote [Andy Smith]
Fine by me, but then mine checks out :) 
9:54 a.m.
New subject: SSL POODLE (CVE-2014-3566) vulnerabilities amongst the customer base
Yeah, fine with me.
Thanks
On 9 December 2014 19:39:05 GMT+00:00, Andy Smith <andy(a)bitfolk.com> wrote:
Hello,
On Thu, Oct 16, 2014 at 11:34:04AM +0000, Andy Smith wrote:
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
By now you have probably been made aware of a
security deficiency in
the design of SSL 3.0 which has been dubbed "POODLE". Here's some
more info:
http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploi…
I am writing to you because, unless this script is flawed:
https://gist.github.com/bitfolk/18e8f48ebe937e802967
then there are over 150 customer IPs at BitFolk that are still
supporting SSLv3 on port 443.
ShadowServer have started reporting on this now, and their latest
report still shows 79 IPs in BitFolk's customer IP space that are
vulnerable to SSLv3/Poodle.
I still don't want to be opening tickets with people individually
over this so unless there is an outrage against the idea then I'm
thinking of just posting next Tuesday's report here. It only takes a
few seconds to scan all of BitFolk's IP space anyway and there are
multiple scripts published to do so (including the one linked
above).
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
------------------------------------------------------------------------
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce 
11:48 a.m.
New subject: SSL POODLE (CVE-2014-3566) vulnerabilities amongst the customer base
On 09/12/14 19:39, Andy Smith wrote:
I still don't want to be opening tickets with
people individually
over this so unless there is an outrage against the idea then I'm
thinking of just posting next Tuesday's report here. It only takes a
few seconds to scan all of BitFolk's IP space anyway and there are
multiple scripts published to do so (including the one linked
above).
I don't mind that report being posted here, but, like others have said,
I have disabled SSLv3 on nginx now so am not worried about it.
Also, if they haven't gotten around to fixing their machines they are
probably more likely to *not* be paying attention to this mailing list.
n
16 Dec
16 Dec
5:44 p.m.
New subject: SSL POODLE (CVE-2014-3566) vulnerabilities amongst the customer base
Hello,
On Tue, Dec 09, 2014 at 07:39:05PM +0000, Andy Smith wrote:
ShadowServer have started reporting on this now, and
their latest
report still shows 79 IPs in BitFolk's customer IP space that are
vulnerable to SSLv3/Poodle.
I still don't want to be opening tickets with people individually
over this so unless there is an outrage against the idea then I'm
thinking of just posting next Tuesday's report here.
Here you go:
http://dl.shadowserver.org/4o9jR_W433PVUJ4CIuqH8V7ht7A?mXSocjvDYp7FJ-vqyoRi…
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
6:53 p.m.
New subject: SSL POODLE (CVE-2014-3566) vulnerabilities amongst the customer base
On 16/12/14 18:44, Andy Smith wrote:
Hello,
On Tue, Dec 09, 2014 at 07:39:05PM +0000, Andy Smith wrote:
Excellent - just what I needed to actually fix it. 5 min of spare time
and a tiny nudge :-)
- OM
ShadowServer have started reporting on this now,
and their latest
report still shows 79 IPs in BitFolk's customer IP space that are
vulnerable to SSLv3/Poodle.
I still don't want to be opening tickets with people individually
over this so unless there is an outrage against the idea then I'm
thinking of just posting next Tuesday's report here.
Here you go:
http://dl.shadowserver.org/4o9jR_W433PVUJ4CIuqH8V7ht7A?mXSocjvDYp7FJ-vqyoRi…
17 Dec
17 Dec
1:20 a.m.
New subject: SSL POODLE (CVE-2014-3566) vulnerabilities amongst the customer base
Surprisingly I didn't show up; either way I was affected and likewise good
nudge to do something about it... two of my servers (BitFolk VPS being one
of them) are still currently stuck on Debian Squeeze (long story, but
upgrading to Wheezy would most likely break some old binary installs).
Unfortunately the version of lighttpd packaged with Squeeze annoyingly
doesn't actually have a option to disable SSLv3... so I've quickly
backported the relevant code to enable that config.
https://github.com/matjohns/squeeze-lighttpd-poodle
Just in case anyone else is in a similar position, this worked for me.
~Mat
On 16 December 2014 at 18:53, Ole-Morten Duesund <olemd(a)glemt.net> wrote:
On 16/12/14 18:44, Andy Smith wrote:
Hello,
On Tue, Dec 09, 2014 at 07:39:05PM +0000, Andy Smith wrote:
Excellent - just what I needed to actually fix it. 5 min of spare time and
a tiny nudge :-)
- OM
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
ShadowServer have started reporting on this now,
and their latest
report still shows 79 IPs in BitFolk's customer IP space that are
vulnerable to SSLv3/Poodle.
I still don't want to be opening tickets with people individually
over this so unless there is an outrage against the idea then I'm
thinking of just posting next Tuesday's report here.
Here you go:
http://dl.shadowserver.org/4o9jR_W433PVUJ4CIuqH8V7ht7A?
mXSocjvDYp7FJ-vqyoRiow
3415
days inactive
3477
days old
16 comments
12 participants
participants (12)
-
Andy Smith -
Dom Latter -
Ian -
Keith Williams -
Mat Johns -
Mike Zanker -
Nigel Rantor -
Ole-Morten Duesund -
Paul Tansom -
Rodrigo Campos -
Simon -
Tony Andersson