If you really need to kill it, you can packet filter it with a iptables
u32 match extension.

# iptables -I INPUT -p tcp ! -f -m tcp --dport 2443 -m state --state
ESTABLISHED -m u32 --u32
"0x0>>0x16&***@0xc>>0x1a&***@0x0&0xffffff00=0x16030000&&0x0>>0x16&***@0xc>>0x1a&***@0x2&0xff=0x1&&0x0>>0x16&***@0xc>>0x1a&***@0x7&0xffff=0x300"
-j DROP

Then verify TLS1 works and SSL3 does not.

$ openssl s_client -connect proxy:2443 -quiet -tls1
$ openssl s_client -connect proxy:2443 -quiet -ssl3

I can think of easier ways to compromise ezproxy logins than POODLE.
The lack of strict-transport-security makes sslstrip an easier attack
for someone who can MITM the site.

https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

For right now I'm happy to just use that rule to log any SSLv3 traffic
into the proxy with -j LOG --log-prefix "ezproxy SSLv3 "
I think what you mean to say is ezproxy is statically linked against
openssl rather than dynamically linking to whatever is installed on the
OS. Windows by default does not include OpenSSL. This means that if
they were to start dynamically linking ezproxy to openssl, they might
end up having to distribute openssl with the windows binary, or simply
continue to compile the windows version statically.

You don't need TLS 1.2 for forward secrecy. Diffie-Hellman key exchange
works fine under SSLv3/TLSv1. Go verify what your browser is using.

$ sslscan proxy:2443 | grep DHE- | grep
Accepted

Accepted SSLv3 256 bits
DHE-RSA-AES256-SHA

Accepted SSLv3 128 bits
DHE-RSA-AES128-SHA

Accepted TLSv1 256 bits
DHE-RSA-AES256-SHA

Accepted TLSv1 128 bits DHE-RSA-AES128-SHA



---
You are currently subscribed to ezproxy as: gee-***@m.gmane.org.
To unsubscribe, send request to ***@itec.suny.edu