SSLv3 and Poodle
Poodle is a serious security vulnerability in various Internet protocols, allowing encrypted connections to read private data from clients and servers.
The SSLv3 protocol has already been deactivated with the installation of the SSLserverPi_V1_3.py. The version SSLserverPi_V1_2.py has still activated the SSLv3 protocol and should only be installed in exceptional cases.
SSLserverPi_V1_2.py is the version that runs with Python version 2.7.3. This python version is included in the Raspberry pi operating system Raspbian version "wheezy".
The new Rapbian version "jessie" is already delivered with Python version 2.7.9 and can run with SSLserverPi_V1_3.py.
Unfortunately it is not possible to install Python 2.7.9 on "wheezy", using Raspbian Repository .
The command "sudo apt-get install python2.7.9" brings an error message. In my Blog "Raspberry pi update to Python 2.7.9 " I provide you a way how to get around this problem.
To check whether the SSLv3 protocol is disabled on the Raspberry pi, you can issue the following command.
# nmap -sV --version-light --script ssl-poodle -p 10023 192.168.0.50
Please replace -p 10023 with your port number and 192.168.0.50 with your IP address.
Ideally, the following feedback is obtained from nmap:
Starting Nmap 7.01 ( https://nmap.org ) at 2016-11-18 11:13 CET
Nmap scan report for 192.168.0.50
Host is up (0.0022s latency).
PORT STATE SERVICE VERSION
10023/tcp open ssl/unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port10023…….
….
To compare the messages with running SSLserverPi_V1_2.py:
# nmap -sV --version-light --script ssl-poodle -p 10023 192.168.0.50
Starting Nmap 7.01 ( https://nmap.org ) at 2016-11-18 11:20 CET
Nmap scan report for 192.168.0.50
Host is up (0.0050s latency).
PORT STATE SERVICE VERSION
10023/tcp open ssl/unknown
| ssl-poodle:
| VULNERABLE:
| SSL POODLE information leak
| State: LIKELY VULNERABLE
| IDs: OSVDB:113251 CVE:CVE-2014-3566
| The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and
| other products, uses nondeterministic CBC padding, which makes it easier
| for man-in-the-middle attackers to obtain cleartext data via a
| other products, uses nondeterministic CBC padding, which makes it easier
| for man-in-the-middle attackers to obtain cleartext data via a
| padding-oracle attack, aka the "POODLE" issue.
| Disclosure date: 2014-10-14
| Check results:
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_FALLBACK_SCSV properly implemented
| References:
| https://www.imperialviolet.org/2014/10/14/poodle.html
| http://osvdb.org/113251
| https://www.openssl.org/~bodo/ssl-poodle.pdf
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
……
…..